There has been a recent flurry of news reports, analysis and webinars in the securities law world around the Securities and Exchange Commission's ("SEC's") Office of Compliance Inspections and Examinations ("OCIE") proposed 2014 Cybersecurity Initiative. Launched as a major news item this month after the SEC's OCIE published its April 15, 2014 Risk Alert devoted to the topic, the Cybersecurity Initiative redirects the financial industry's compliance focus back to SEC examinations, as OCIE purports to conduct exams on "more than 50 registered broker-dealers and registered investment advisers", focusing specifically on a firm's "cybersecurity preparedness." So what do you need to know the most from this latest Risk Alert? The areas that OCIE will be most concentrating on include:
- The entity's cybersecurity governance [through risk assessments, an inventory of technology, and internal policies and procedures ("P&P")];
- Identification and assessment of cybersecurity risks [malware, network breaches, etc.];
- Protection of networks and information [encryption, etc.];
- Risks associated with remote customer access and funds transfer requests [including external controls for authentication of identity];
- Risks associated with vendors and other third parties [tracking new software packages, etc.];
- Detection of unauthorized activity [how to track the notifications process for intrusions, etc.]; and
- Experiences with certain cybersecurity threats.
Also key to this Risk Alert is its 7-page Appendix, which details a "sample list of requests for information" that the SEC may request in conducting an examination of your firm. While this list is not fully inclusive of all the requests that could be made, it is highly recommended to use it as an important guide for assuring your firm is on track with SEC examination standards. Consider assessing this Appendix and its contents with your compliance and executive team, and then develop and implement an effective cybersecurity policy within your organization. Not only will you be safeguarding and protecting your clients, but you will be better prepared for your next regulatory exam. For further information on this and other related subjects, please contact us at [email protected] or (619) 298-2880.