SEC Outlines Cybersecurity Questions, Sets Magic Number at 50 Firms
The SEC last week provided even more clarity into its growing focus on cybersecurity at broker dealers and registered investment advisers. A key takeaway in a Risk Alert issued on April 15, 2014, is that the Office of Compliance Inspections and Examinations (OCIE) will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on areas related to cybersecurity.
In order to help compliance professionals prepare and assess their firms’ responsive cybersecurity preparedness, OCIE has created a sample cybersecurity request document that outlines the types of questions firms can expect. OCIE is good to point out that these questions should not be considered all inclusive of the information that OCIE may request. OCIE will alter its request for information as it considers the specific circumstances presented by each firm’s particular systems or information technology environment.
You can find the Risk Alert and questions HERE.
Now What? Preparing for the SEC Cybersecurity Exam
The SEC was kind enough to provide a proverbial map of the directions it may take during a cybersecurity exam; now firms need to assess their internal processes and procedures as well as supporting technology. It is important to note that the SEC is just as interested in your Written Information Security Policy (WISP) as they are in your technology safeguards.
The areas the SEC outlined include:
Identification of Risks/Cybersecurity Governance
Protection of Firm Networks and Information
Risks Associated with Remote Customer Access and Funds Transfer Requests
Risks Associated with Vendors and Other Third Parties
Detection of Unauthorized Activity
Other: Identity theft red flags; Security breach incidents; Reported incident history.
Here at Eze Castle Integration, we are going through the questionnaire and beginning to work with clients to answer the various sections. Our WISP team is also on-call to begin the process of developing more comprehensive internal and external policies and procedures around security.
Your IT provider should be able to provide assistance, but policies and procedures are key too.