SEC Issues Cybersecurity Initiative Risk Alert

On April 15, the U.S. Securities and Exchange Commission (SEC)’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert on its Cybersecurity Initiative.¹ The Alert is intended to provide additional information concerning the SEC’s initiative to assess cybersecurity preparedness in the securities industry, including broker-dealers and investment advisers. The SEC has been increasingly focused on cybersecurity issues, beginning with its Cybersecurity Disclosure Guidance issued in October of 2011² and most recently with its Cybersecurity Roundtable.³

In its Alert, the OCIE announced that it will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on areas relating to cybersecurity. The initiative is designed to assess cybersecurity preparedness in the securities industry and obtain information about the industry’s recent experiences with certain types of cyberthreats.

The examinations will focus on the following issues:

• cybersecurity governance
• identification and assessment of cybersecurity risks
• protection of networks and information
• risks associated with remote customer access and funds transfer requests
• risks associated with vendors and third parties
• detection of unauthorized activity, and
• experiences with certain cybersecurity threats.

In a rare move, the SEC included a sample questionnaire in the Alert, which will allow firms to prepare for the examination and give non-examined companies an idea of the areas the SEC believes are crucial to its determination of cybersecurity preparedness. The SEC believes that the sample questionnaire will assist compliance professionals in the industry with questions and tools they can use to assess their firms’ level of readiness for cyberthreats. In addition, the SEC indicated that the questionnaire may be used to make appropriate changes to address and strengthen firms’ risk management systems.

The questionnaire, which is seven pages long and contains 28 questions (some with multiple sub-questions), covers a broad range of cybersecurity issues. Some of the questions track information outlined in the “Framework for Improving Critical Infrastructure Cybersecurity,” released by the National Institute of Standards and Technology in February of this year.⁴ The OCIE indicated that it will tailor the questionnaire to the firms it actually examines to take into account the specific circumstances presented by each firm’s particular systems or information technology environment.

Of particular note in the questionnaire is the focus on written policies. The OCIE has identified the following written policies that may be of importance in evaluating cybersecurity preparedness:

• information security policy (and whether this specifically addresses removable and mobile media)
• business continuity of operations plan
• written guidance for employees concerning security risks and responsibilities
• data destruction policy
• cybersecurity incident response policy, and
• policies relating to information security for vendors and business partners.

The questionnaire will also focus on disclosure of cyberattacks experienced by firms since January 1, 2013, including a description of the extent of related losses, customer information accessed, firm services impacted, dates of incidents and discovery and remediation efforts.

Pepper Point: Although the OCIE indicated that only 50 firms will be examined, all firms in this industry should, at minimum, review the sample questionnaire to help assess their preparedness, and particularly to assess whether they need to adopt or update any written policies. Pepper Hamilton’s Privacy, Security and Data Protection Practice Group routinely advises and helps draft these policies and counsels on cybersecurity compliance and training and on appropriate responses to a data breach.

For further information, please watch the following webcasts:

• Bitter C-Suite: Privacy, Security and Data Protection Issues Facing Corporations, Directors and Officers (http://www.pepperlaw.com/webinars_update.aspx?ArticleKey=2888)
• BYOD (Bring Your Own Device) *Liability and Data Breach Sold Separately (http://www.pepperlaw.com/webinars_update.aspx?ArticleKey=2773)

Or, for further reading, please see:

• Partly Cloudy with a Chance of Data Breach: (http://www.pepperlaw.com/publications_update.aspx?ArticleKey=2730)
• NIST Proposes Privacy Control Roadmap for Organizations (http://www.pepperlaw.com/publications_update.aspx?ArticleKey=2658)
• Executive Order Begins Process of Strengthening Nation’s Cybersecurity and Critical Infrastructure (http://www.pepperlaw.com/publications_update.aspx?ArticleKey=2562).

Endnotes

¹ OCIE Cybersecurity Initiative (can be found at: http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf).

² CF Disclosure Guidance: Topic No. 2: Cybersecurity (can be found at: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm).

³ To view a webcast of the Cybersecurity Roundtable, which took place on March 26, 2014, visit the SEC’s spotlight page: http://www.sec.gov/spotlight/cybersecurity-roundtable.shtml.

⁴ Framework for Improving Critical Infrastructure Cybersecurity, National Institute of Standards and Technology, February 12, 2014 (can be found at: http://www.nist.gov/cyberframework/).

Prepared by  Sharon R. Klein and Melissa Louise Nuñez, both with EACCNY Founding member Pepper Hamilton, LLP.