SEC to Launch Cybersecurity ExamsWill Assess More than 50 Broker-Dealers, Investment Advisers
The Securities and Exchange Commission is planning to conduct more than 50 examinations to assess cybersecurity preparedness in the securities industry and to obtain information about the industry's recent experiences with certain types of cyberthreats.
Organizations to be examined by the SEC's Office of Compliance Inspections and Examinations include registered broker-dealers and registered investment advisers, according to an April 15 announcement.
The examinations will focus on the entities' identification and assessment of risks; protection of networks and information; risks associated with remote customer access and funds transfer requests; risks associated with vendors and other third parties; detection of unauthorized activity; and experiences with certain cybersecurity threats.
The SEC did not immediately respond to a request for additional information.
In announcing the cybersecurity examinations, the SEC also provided a sample list of requests for information that examiners may use. "The sample document request is intended to empower compliance professionals in the industry with questions and tools they can use to assess their firms' level of preparedness, regardless of whether they are included in OCIE's examinations."
Alan Brill, senior managing director at security advisory firm Kroll Solutions, says that comment from the SEC is particularly significant for all business sectors. "The suggestion that collecting the data in their information request would help the management of any organization to assess their preparedness to prevent, detect and appropriately respond to a cyber-incident [is important]," he says. "With a few modifications for different industries, the questions posed would be ones that I would hope compliance officers, internal auditors and even boards of directors would want to examine to carry out their oversight role over cybersecurity."
Brill says the information offered in the SEC announcement's extensive appendix section can also be used as the basis for an independent third-party assessment of information "by specialists who can bring a lot of experience in identifying commercially reasonable technology and operational solutions."
Karen Evans, a partner at the management consulting service KE&T Partners LLC who previously worked at the Office of Management and Budget, says all business sectors should be conducting risk assessments and reviews of their security programs as is being outlined by the SEC.
"If you have a good program in place, you should be able to answer those questions to whoever your regulator is," she says. "It shouldn't be a burden if a firm is practicing good information security assurance and risk management."
In its announcement of the upcoming examinations, the SEC says some of the information it may seek from Wall Street companies includes:
- An inventory of physical devices and systems, as well as software platforms and applications;
- A copy of the organization's written information security policy;
- Evidence of whether the organization conducts periodic risk assessments;
- Evidence of whether cybersecurity roles and responsibilities have been explicitly assigned;
- Practices and controls regarding the protection of networks and information utilized by the organization;
- Evidence of whether the organization conducts or requires risk assessments of vendors and business partners;
- Steps taken to detect unauthorized activity on networks and devices;
- Updates on whether the organization experienced any type of cyber-incident.
The SEC sponsored a cybersecurity roundtable on March 26 where Commissioner Luis Aguilar emphasized the importance for the commission to gather information and "consider what additional steps the commission should take to address cyberthreats."
"These examinations will help identify areas where the commission and the industry can work together to protect investors and our capital markets from cybersecurity threats," the SEC says.