The OCIE Cybersecurity Initiative

Cyber-attacks are now a serious threat to businesses. Victims of cyber-attacks may incur substantial costs including loss of clients, remediation costs, litigation and reputational damage. Recent examples of cyber-attacks on large US companies include J.P. Morgan, American Express, and Target.

The objectives of a cyber-attack may include theft of financial assets, intellectual property, or other sensitive information belonging to the target, their customers or business partners. To address these risks in the investment management sector, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced in January 2014 that its 2014 Examination Priorities would include a focus on technology, including cybersecurity preparedness.

In April, the OCIE issued a Risk Alert to provide additional information concerning this initiative. The OCIE announced that it would conduct examinations of 50 registered investment advisers and 50 broker-dealers focused on the following:

• The entity’s cybersecurity governance
• Identification and assessment of cybersecurity risks
• Protection of networks and information
• Risks associated with remote customer access and funds transfer requests
• Risks associated with vendors and other third parties
• Detection of unauthorized activity
• Experiences with certain cybersecurity threats

As part of the Risk Alert, the OCIE included a sample request list for information and documents used in this initiative. The sample information request list is intended to help compliance professionals in the industry with questions and tools they can use to assess their firm’s level of preparedness.

The goal of the cybersecurity “sweep exam” was to help identify areas where the Commission and the industry can work together to protect investors and capital markets from cybersecurity threats. Speaking at an industry conference in September 2014, Jane Jarcho, National Associate Director of the SEC’s investment adviser and investment company examination program, stated that the agency had completed its cybersecurity initiative exam sweep.

Stating that her observations were preliminary, Ms. Jarcho said that most investment advisers and brokers are assessing electronic security at their firms, but their approach and frequency vary widely. Ms. Jarcho explained that the SEC was just beginning to analyze the sweep exam results and that findings would be released through speeches by agency officials in the coming months, as well as in an investor risk alert.

Registered investment advisers should review the sample request for information list included in the SEC’s April Risk Alert to see the kind of information that the SEC may seek during an examination. Advisers are also encouraged to review the SEC’s sample request list with their IT personnel or providers to assess their current level of cybersecurity preparedness. Some areas to focus on from the request list include:

• Taking an inventory of physical devices and systems
• Conducting periodic assessments to identify cybersecurity threats, vulnerabilities, and potential business consequences
• Conducting periodic assessments to identify physical threats and vulnerabilities that may bear on cybersecurity
• Employing a process for ensuring regular systems maintenance, including timely installation of software patches that address security vulnerabilities
• Conducting an assessment of the functionality of the backup system
• Monitoring and assessing the activity of third-party service providers with access to the investment adviser’s networks