SEC Kicks Off Cybersecurity Assessment

The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) launched an initiative to assess the cybersecurity of registered broker/dealers and investment advisers.

The OCIE explains in a recent Risk Alert that the cybersecurity assessment will involve 50 audits of brokers/dealers and investment advisory firms, focusing on areas related to technology and cyber-threat preparedness.

OCIE auditors say they will seek information related to the firms’ digital governance, identification and assessment of potential cybersecurity risks, and how well the firms actively protect their networks and information infrastructure. Officials hope to use the reviews to develop recommendations and regulation to improve the overall digital security of the investment advisory and securities trading industries.  

SEC officials have said they are especially concerned with risks that may be emerging as more providers offer online and mobile access to client accounts and fund transfer requests, as well as risks associated with vendors and other third-party service providers, where detection of unauthorized or illegal activity can be more difficult to identify and police (see “SEC Outlines 2014 Examination Priorities”).

As part of the OCIE’s efforts to promote compliance and to share with the industry where it sees the most significant risks, auditors included an appendix in the Risk Alert that provides advisers and broker/dealers with sample request-for-information documents that will be used in the audits. The OCIE says the appendix is intended to empower compliance professionals in the industry with questions and tools they can use to assess their firms’ current level of preparedness, regardless of whether or not they are included in the actual examination initiative.

The information request are substantial and ask for information regarding everything from how often an adviser or broker/dealer firm takes inventory of its network hardware and computing devices to whether the firm maintains a written data destruction policy. Another question requests a firm’s “written business continuity of operations plan that addresses mitigation of the effects of a cybersecurity incident.”

The SEC encourages firms to take a close look at the appendix and the various best practices it suggests across such areas as detection of unauthorized network access and assessing third-party cybersecurity capabilities.