On 15 September 2015, the Office of Compliance and Examinations (OCIE) of the Securities and Exchange Commission (SEC) issued a follow-up Risk Alert regarding the agency’s continued focus on cybersecurity compliance and controls as part of its 2015 Examination Priorities.
US financial services firms, or firms based in other jurisdictions with US entities, should be aware of the OCIE’s guidance that will consist of testing to assess implementation of a firm’s procedures and controls surrounding:
- Governance and Risk Assessment: OCIE may assess the level of involvement and communication between senior management and boards of directors regarding a firm’s commitment toward cybersecurity governance and risk assessment along with processes and controls in place surrounding protection of client information.
- Access Rights and Controls: OCIE may assess a firm’s policies and procedures regarding access by unauthorized persons to firm network resources and devices and user access restrictions. Examiners may review how firms control access to various systems and data via management of user credentials, authentication and authorization methods.
- Data Loss Prevention: OCIE may assess how robust the firm’s controls are surrounding the volume of content transferred outside of the firm by employees or third parties, and how a firm monitors for potentially unauthorized data transfers and verifies the authenticity of customers request to transfer funds.
- Vendor Management: OCIE may focus on firm practices and controls regarding due diligence performed on third party vendor platforms. Examiners may assess documentation surrounding vendor selection, oversight, ongoing monitoring and contract terms.
- Training: OCIE may assess a firm’s cybersecurity training program for employees and vendors on the prevention of breaches as a result of unintentional employee actions, as well as procedures for responding to cyber incidents.
- Incident Response: OCIE may assess whether firms have established policies, assigned roles, assessed vulnerabilities and developed plans to address and mitigate possible future events and necessary notifications.
Following recent cybersecurity breaches and continuing cybersecurity threats against financial services firms, OCIE will continue testing a firm’s preparedness and ability to protect broker-dealer customer and investment advisor client information. These factors are not exhaustive and should be tailored to a firm’s individual needs.