The U.S. Securities & Exchange Commission (SEC) provided cybersecurity guidance to the securities industry in the form of a Risk Alert issued by the SEC’s Office of Compliance Inspections and Examinations (OCIE) on April 15, 2014. The guidance, which is neither a rule nor a regulation, outlines a series of questions that the SEC is sending to approximately 50 registered broker-dealers and investment advisers. According to one SEC official, the OCIE decided to issue a Risk Alert and publish the questions in an attempt to encourage widespread diligence on cybersecurity. The Risk Alert notes that it “is intended to empower compliance professionals in the industry with questions and tools they can use to assess their firms’ level of preparedness, regardless of whether they are included in OCIE’s examinations.” Although the Risk Alert applies specifically to the securities industry, the questions will likely serve as a model for companies nationwide and provide a framework for discussing cybersecurity best practices.
The exam focuses on six key areas:
1. Identification of cybersecurity risks and corporate governance.
2. Protection of networks and information.
3. Risks associated with remote customer access and funds transfer requests.
4. Risks associated with vendors and other third parties.
5. Detection of unauthorized activity.
6. Experiences with certain cybersecurity threats and application of the Identity Theft Red Flag Rules.
The Risk Alert provides a seven-page appendix that details sample questions related to cybersecurity and data protection risk. Many of the questions in the Risk Alert appendix track language outlined in the Cybersecurity Framework released by the Department of Commerce’s National Institute of Standards and Technology in February of this year. The Risk Alert is the first clear application of the NIST guidelines at the SEC level. The Risk Alert also appears to encourage information sharing, specifically asking whether any cyber events were shared with law enforcement, FinCEN, FINRA, any state or federal regulatory agency, or any industry-specific organization. The questions related to experiences with certain cybersecurity threats should be reviewed by any SEC-reporting company, as it appears to outline the types of threats that the SEC may consider important in disclosing in a company’s risk factors.
The SEC’s release of the sample exam questions sends a clear signal to registered securities professionals: analyze your cybersecurity risk management process and make any modifications before the SEC comes knocking on your door. The exam results will inform any future rulemaking, which, after the SEC’s Cybersecurity Roundtable, seems likely. And although the Risk Alert specifically applies to registered broker dealers and investment advisers, any organization would benefit from reviewing the 28-question list and determining areas for improvement.