April 23, 2014
The Securities and Exchange Commission ("SEC") plans to review the cybersecurity defenses of registered broker-dealers and investment advisers, according to a Risk Alert issued by the SEC’s Office of Compliance Inspections and Examinations ("OCIE") on April 15, 2014. The announcement of this effort comes shortly after the SEC hosted a Cybersecurity Roundtable (the "Roundtable") on March 26, 2014, during which the SEC emphasized the importance of gathering information and determining what additional steps should be taken to address threats posed by cybersecurity.
What Is the Focus of the OCIE Cybersecurity Initiative?
The OCIE will conduct examinations of more than 50 registered broker-dealers and registered investment advisers, a small sampling given that OCIE is responsible for examining approximately 4,500 broker-dealers and over 10,000 investment advisers. Through the examinations, the OCIE is seeking to gain information about the industry’s recent experiences with certain cybersecurity threats and the level of preparedness against such threats. Specifically, the examinations will focus on the following:
The Risk Alert includes a 7-page appendix of sample requests for information that may be used by the OCIE in the conduct of the examinations. Divided into the above listed topics, they inquire about a range of policies and procedures, as well as practices and controls that relate to cybersecurity. The appendix also includes sample requests for detailed information as to how firms assess cybersecurity risks and for information on the firm’s cybersecurity risk management processes. A number of these questions track information outlined in the Cybersecurity Framework released by the Department of Commerce’s National Institute of Standards and Technology ("NIST") earlier this year.[1]
While the sample list of requests for information contained in the Risk Alert appendix is not all-inclusive and will be tailored to the specific circumstances presented by each firm’s information technology environment and systems, it highlights the depth of the OCIE’s examination of cybersecurity policies and practices of broker-dealers and investment advisers. It also serves as an indication of the level of interest by the SEC in an area whose importance has been underscored by a series of high profile cybersecurity incidents in recent months.
The Risk Alert also indicates that, in addition to its role in the conduct of these examinations, the appendix is intended to "empower compliance professionals . . . with questions and tools they can use to assess their firms’ level of preparedness,"[2] regardless of whether the firm is selected to participate in the examinations. Thus, even those firms who are not examined by the OCIE as part of this initiative may find it useful to review the questions presented in the appendix to gauge their cybersecurity preparedness.
The Cybersecurity Landscape and the SEC’s Cybersecurity Roundtable
Cybersecurity attacks are increasing in their frequency and sophistication, and there has been increasing focus by the Administration on cybersecurity.[3] This focus has resulted in substantive guidance, such as the NIST’s voluntary Cybersecurity Framework mentioned above, as well as heightened interest in determining how the regulatory environment can better address the cybersecurity threats faced by entities in the private sector. The OCIE Cybersecurity Initiative is the latest effort to focus on cybersecurity risks, and is reflective of the discussions that occurred during the Roundtable held on March 26, 2014.
The Roundtable, which was composed of public and private sector representatives to discuss cybersecurity and the specific cyber risks that regulated entities and public companies are facing, was convened in order to assist the SEC in developing a better understanding of this growing cybersecurity threat. SEC Commissioner Luis Aguilar emphasized the importance for the SEC to gather information on cybersecurity risks and consider what additional steps the SEC should take to address cybersecurity threats.
The OCIE Cybersecurity Initiative is responsive to some of the issues raised during the Roundtable. In particular, the sample requests for information in the appendix reflect some of the overall themes that emerged during the Roundtable:
What Is the Impact of This Announcement?
This is the first time that the OCIE, which administers the SEC’s nationwide examination and inspection program for registered entities, has included cybersecurity in its focus list for annual examinations. The level of detail covered by the sample requests for information provided by the OCIE in the Risk Alert highlights the increasing levels of concern over the cybersecurity threats faced by regulated entities. The impact of the OCIE Cybersecurity Initiative will likely far exceed the examination of 50 broker-dealer and investment adviser firms. OCIE’s publication of the appendix of sample requests for information–which is not common practice–indicates that it wants firms to be analyzing their cybersecurity risk management processes even if they are not selected for examination in connection with the Cybersecurity Initiative. Broker-dealers and investment advisers should carefully evaluate existing cybersecurity policies and practices in light of the extensive sample requests and make any necessary adjustments in advance of routine examinations.
The results of the OCIE’s examinations are used by the SEC to inform rulemaking initiatives, identify and monitor risks, improve industry practices and pursue misconduct. The results of this examination will likely have a broad impact, possibly in the form of more rigorous regulations in the area of cybersecurity.
[1] For more information on the Cybersecurity Framework and the potential implications for liability, see "NIST Debuts Cybersecurity Framework" (LTN Technology News, February 20, 2014) and "The Cybersecurity Framework: Risk management process . . . and pathway to corporate liability?" (Westlaw Journal Computer & Internet, December 12, 2013), co-authored by Alexander H. Southwell and Stephenie Gosnell Handler.
[2] OCIE Cybersecurity Initiative, National Exam Program Risk Alert, available at http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf.
[3] The President’s 2013 State of the Union address and executive order on improving critical infrastructure cybersecurity have served to focus the Administration on the issue of cybersecurity. See Exec. Order No. 13636, 78 Fed. Reg. 11,739 (Feb. 19, 2013), available at http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf.
Gibson, Dunn & Crutcher’s lawyers are available to assist with any questions you may have regarding these issues. For further information, please contact the Gibson Dunn lawyer with whom you usually work or any of the following members of the Information Technology and Data Privacy Group, the Securities Regulation and Corporate Governance Group, or the Investment Funds Group:
Information Technology and Data Privacy Group:
Alexander H. Southwell – New York (212-351-3981, asouthwell@gibsondunn.com)
M. Sean Royall – Dallas (214-698-3256, sroyall@gibsondunn.com)
Debra Wong Yang – Los Angeles (213-229-7472, dwongyang@gibsondunn.com)
Securities Regulation and Corporate Governance Group:
Amy L. Goodman – Washington, D.C. (202-955-8653, agoodman@gibsondunn.com)
Elizabeth Ising – Washington, D.C. (202-955-8287, eising@gibsondunn.com)
James J. Moloney - Orange County (949-451-4343, jmoloney@gibsondunn.com)
Ronald O. Mueller – Washington, D.C. (202-955-8671, rmueller@gibsondunn.com)
Stephenie Gosnell Handler – New York (212-351-4044, shandler@gibsondunn.com)
Investment Funds Group:
C. William Thomas, Jr. – Washington, D.C. (202-887-3735, wthomas@gibsondunn.com)
Jennifer Bellah Maguire – Los Angeles (213-229-7986, jbellah@gibsondunn.com)
Edward D. Nelson – New York (212-351-2666, enelson@gibsondunn.com)
Edward D. Sopher – New York (212-351-3918, esopher@gibsondunn.com)
© 2014 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.