The exam focuses on six key areas:
1. Identification of cybersecurity risks and corporate governance.
2. Protection of networks and information.
3. Risks associated with remote customer access and funds transfer requests.
4. Risks associated with vendors and other third parties.
5. Detection of unauthorized activity.
6. Experiences with certain cybersecurity threats and application of the Identity Theft Red Flag Rules.
The Risk Alert provides a seven-page appendix that details sample questions related to cybersecurity and data protection risk. Many of the questions in the Risk Alert appendix track language outlined in the Cybersecurity Framework released by the Department of Commerce’s National Institute of Standards and Technology in February of this year. The Risk Alert is the first clear application of the NIST guidelines at the SEC level. The Risk Alert also appears to encourage information sharing, specifically asking whether any cyber events were shared with law enforcement, FinCEN, FINRA, any state or federal regulatory agency, or any industry-specific organization. The questions related to experiences with certain cybersecurity threats should be reviewed by any SEC-reporting company, as it appears to outline the types of threats that the SEC may consider important in disclosing in a company’s risk factors.
The SEC’s release of the sample exam questions sends a clear signal to registered securities professionals: analyze your cybersecurity risk management process and make any modifications before the SEC comes knocking on your door. The exam results will inform any future rulemaking, which, after the SEC’s Cybersecurity Roundtable, seems likely. And although the Risk Alert specifically applies to registered broker dealers and investment advisers, any organization would benefit from reviewing the 28-question list and determining areas for improvement.