OCIE Announces Second Round of Cybersecurity Examinations
September 18, 2015
The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) announced in its most recent Risk Alert1 (the “Risk Alert”) that it will continue to focus on cybersecurity by conducting additional examinations of registered broker-dealers and investment advisers. OCIE noted that its second round of cybersecurity examinations, which will involve further testing designed to evaluate the implementation of broker-dealers’ and advisers’ procedures and controls, will focus on the following topics:
- Access Rights and Controls. Examiners may consider how firms prevent unauthorized access to their systems and information, and firms’ utilization of user credentials and authentication and authorization methods. This assessment may involve reviewing, among other things, firms’ controls relating to remote access, passwords, login processes and network segmentation.
- Data Loss Prevention. Examiners may evaluate firms’ processes for monitoring both the external transfer of content by firm employees or third parties, such as through e-mail attachments, and unauthorized data transfers. Examiners may also assess how firms verify the authenticity of a request to transfer funds.
- Vendor Management. Examiners may focus on firms’ practices and controls with respect to their use of vendors, including (i) firms’ due diligence when selecting vendors, (ii) monitoring and oversight, (iii) contract terms, (iv) how vendor arrangements are incorporated into firms’ ongoing risk assessment processes, and (v) how firms determine the appropriate level of due diligence to conduct on a vendor.
- Training. Examiners may review how firms tailor their training to specific job functions, how training programs are designed to encourage responsible behavior by both employees and vendors, and how procedures designed to respond to cyber incidents are incorporated into regular training of personnel and vendors.
- Incident Response. Examiners may assess whether firms have established policies, assigned responsibilities, evaluated their systems’ vulnerabilities and created plans to address potential future events, including by determining which data, property and services require the most protection.
- Governance and Risk Assessment. Examiners may evaluate whether firms have cybersecurity governance and risk assessment processes relating to the foregoing areas. Examiners may also assess (i) whether, on a periodic basis, firms are evaluating risks and whether their controls and processes are customized to their business, and (ii) the level of communication to, and involvement of, senior management and boards.
- The Risk Alert also includes as an appendix a sample list of information that OCIE may review in connection with its examinations of the aforementioned topics.
1 National Exam Program Risk Alert, Volume IV, Issue 8 (September 15, 2015).
If you have any questions regarding the matters covered in this memo, please contact any of the partners and counsel listed below or your primary attorney in Seward & Kissel’s Investment Management Group.