The SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert this week describing its plans to conduct a second round of cybersecurity examinations of registered broker-dealers and investment advisers. The new alert is meant to “provide additional information on the areas of focus for OCIE’s second round of cybersecurity examinations, which will involve more testing to assess implementation of firm procedures and controls.” OCIE released a similar risk alert for the first round of cybersecurity examinations in April 2014 and subsequently provided a summary of findings in February of this year.
The examinations will focus on topics similar to those reviewed in the first round, but seemingly at a more granular level:
- Governance and Risk Assessment, including whether firms have appropriate controls and processes in place, whether they periodically reexamine these controls and processes, and the extent to which senior management and boards are involved;
- Access Rights and Controls, including how firms use controls to prevent unauthorized access, log access attempts, and periodically review access levels;
- Data Loss Prevention, including how companies monitor the transfer of data outside of the organization (both the volume of data and potentially unauthorized transfers) and how firms verify customer requests for funds transfers;
- Vendor management, including the due diligence process, monitoring and oversight, and contractual provisions;
- Training, including how training is tailored for employees, how it is designed to encourage behavior, and how it incorporates procedures for responding to a cyber incident; and
- Incident Response, including information regarding actual cyber incidents experienced, and whether examinees “have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events.”
The alert also provides a sample request of information that may be reviewed in the examinations as an appendix.