The SEC Assesses Cybersecurity Preparedness in the Securities Industry in the Wake of the Cybersecurity Roundtable

April 23, 2014

The Securities and Exchange Commission ("SEC") plans to review the cybersecurity defenses of registered broker-dealers and investment advisers, according to a Risk Alert issued by the SEC’s Office of Compliance Inspections and Examinations ("OCIE") on April 15, 2014.  The announcement of this effort comes shortly after the SEC hosted a Cybersecurity Roundtable (the "Roundtable") on March 26, 2014, during which the SEC emphasized the importance of gathering information and determining what additional steps should be taken to address threats posed by cybersecurity.    

What Is the Focus of the OCIE Cybersecurity Initiative?

The OCIE will conduct examinations of more than 50 registered broker-dealers and registered investment advisers, a small sampling given that OCIE is responsible for examining approximately 4,500 broker-dealers and over 10,000 investment advisers.  Through the examinations, the OCIE is seeking to gain information about the industry’s recent experiences with certain cybersecurity threats and the level of preparedness against such threats.  Specifically, the examinations will focus on the following:

• Cybersecurity governance / Identification and assessment of cybersecurity risks;
• Protection of networks and information;
• Risks associated with remote customer access and funds transfer requests;
• Risks associated with vendors and other third parties;
• Detection of unauthorized activity; and
• Experiences with certain cybersecurity threats.

The Risk Alert includes a 7-page appendix of sample requests for information that may be used by the OCIE in the conduct of the examinations.  Divided into the above listed topics, they inquire about a range of policies and procedures, as well as practices and controls that relate to cybersecurity.  The appendix also includes sample requests for detailed information as to how firms assess cybersecurity risks and for information on the firm’s cybersecurity risk management processes.  A number of these questions track information outlined in the Cybersecurity Framework released by the Department of Commerce’s National Institute of Standards and Technology ("NIST") earlier this year.[1]

While the sample list of requests for information contained in the Risk Alert appendix is not all-inclusive and will be tailored to the specific circumstances presented by each firm’s information technology environment and systems, it highlights the depth of the OCIE’s examination of cybersecurity policies and practices of broker-dealers and investment advisers.  It also serves as an indication of the level of interest by the SEC in an area whose importance has been underscored by a series of high profile cybersecurity incidents in recent months.

The Risk Alert also indicates that, in addition to its role in the conduct of these examinations, the appendix is intended to "empower compliance professionals . . . with questions and tools they can use to assess their firms’ level of preparedness,"[2] regardless of whether the firm is selected to participate in the examinations.  Thus, even those firms who are not examined by the OCIE as part of this initiative may find it useful to review the questions presented in the appendix to gauge their cybersecurity preparedness.

The Cybersecurity Landscape and the SEC’s Cybersecurity Roundtable

Cybersecurity attacks are increasing in their frequency and sophistication, and there has been increasing focus by the Administration on cybersecurity.[3]  This focus has resulted in substantive guidance, such as the NIST’s voluntary Cybersecurity Framework mentioned above, as well as heightened interest in determining how the regulatory environment can better address the cybersecurity threats faced by entities in the private sector.  The OCIE Cybersecurity Initiative is the latest effort to focus on cybersecurity risks, and is reflective of the discussions that occurred during the Roundtable held on March 26, 2014.  

The Roundtable, which was composed of public and private sector representatives to discuss cybersecurity and the specific cyber risks that regulated entities and public companies are facing, was convened in order to assist the SEC in developing a better understanding of this growing cybersecurity threat.  SEC Commissioner Luis Aguilar emphasized the importance for the SEC to gather information on cybersecurity risks and consider what additional steps the SEC should take to address cybersecurity threats. 

The OCIE Cybersecurity Initiative is responsive to some of the issues raised during the Roundtable.  In particular, the sample requests for information in the appendix reflect some of the overall themes that emerged during the Roundtable:

• Cybersecurity is a dynamic and constantly evolving challenge.  Cybersecurity threats should not be viewed as problems that can be completely resolved, but rather as risks that must be managed and mitigated in the same manner as other operational risks faced by companies.  Because of the diversity of companies and their cybersecurity risks, the panelists agreed that a "one-size-fits-all" approach will not be effective to manage cybersecurity risks.  The level of detail contained in the sample requests for information appears aimed at identifying commonalities (and differences) in how cybersecurity threats are identified and managed by individual broker-dealers and investment advisers.  
• Information sharing is an important tool to address cybersecurity threats.  The panelists at the Roundtable agreed that information sharing–between industry participants, as well as public-private partnerships–can be an important resource for public and private sector actors facing cybersecurity challenges.  The sample requests for information specifically ask about reporting of cyber incidents to a number of different governmental and industry organizations.
• The board of directors and senior management have an important role to play.  According to the Roundtable panelists, after years of considering cybersecurity risk management as the sole domain of information technology personnel, senior management and boards are realizing that cybersecurity should be ranked highly on their priority list and studies show an increasing level of awareness of the cybersecurity risks faced by companies today.  While the role of leadership–and the cyber expertise expected of leadership–will vary depending on the nature of the company, the panelists generally agreed that cyber risks should be viewed in a similar manner as operational risks, particularly in their categorization as an enterprise-wide effort.  They emphasized the need to create a culture that cybersecurity starts "at the keyboard" and with every employee–and that cybersecurity should not be viewed as a technology / information systems issue, but rather a business issue.  This theme is reflected in a number of different sample requests presented in the OCIE Cybersecurity Initiative appendix.  For instance, there are requests to provide written documentation of cybersecurity roles and responsibilities, supervisory procedures and business continuity of operations plan that relate to mitigating effects of cybersecurity incidents.

What Is the Impact of This Announcement?

This is the first time that the OCIE, which administers the SEC’s nationwide examination and inspection program for registered entities, has included cybersecurity in its focus list for annual examinations.  The level of detail covered by the sample requests for information provided by the OCIE in the Risk Alert highlights the increasing levels of concern over the cybersecurity threats faced by regulated entities.  The impact of the OCIE Cybersecurity Initiative will likely far exceed the examination of 50 broker-dealer and investment adviser firms.  OCIE’s publication of the appendix of sample requests for information–which is not common practice–indicates that it wants firms to be analyzing their cybersecurity risk management processes even if they are not selected for examination in connection with the Cybersecurity Initiative.  Broker-dealers and investment advisers should carefully evaluate existing cybersecurity policies and practices in light of the extensive sample requests and make any necessary adjustments in advance of routine examinations.   

The results of the OCIE’s examinations are used by the SEC to inform rulemaking initiatives, identify and monitor risks, improve industry practices and pursue misconduct.  The results of this examination will likely have a broad impact, possibly in the form of more rigorous regulations in the area of cybersecurity.