To listen to the podcast, please click here.
On April 15, 2014, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) released a National Exam Priority Risk Alert announcing its initiative to evaluate cybersecurity policies currently utilized in the securities industry. OCIE's implementation of the Risk Alert is the product of the SEC's March 26, 2014 cybersecurity roundtable, which emphasized the importance of cyber-readiness for broker-dealers and investment advisers.
Pursuant to the Risk Alert, OCIE will interview 50 registered broker-dealers and investment advisers regarding their cybersecurity policies. OCIE has also provided a sample request for information in the Risk Alert to enable any firm not examined by OCIE to independently evaluate its cybersecurity policies. The sample request for information is not all-inclusive, and OCIE may tailor or amend its requests for information in order to best address the particular circumstances of each firm.
The disclosure per the Risk Alert "is intended to empower compliance professionals in the industry with questions and tools they can use to assess their firms' level of preparedness." OCIE's examinations will focus on the following areas: cybersecurity governance; identification of cybersecurity risks; risks associated with remote customer access and funds transfer requests; risks associated with vendors and other third parties; protection of networks and information; detection of unauthorized activity; and experiences with cybersecurity threats.
OCIE's decision to address cybersecurity in its annual examinations, along with its public release of a sample request for information, signals that the SEC has increased its scrutiny of broker-dealer and investment adviser cybersecurity policies. Registered broker-dealers and investment advisers should review their current cybersecurity policies in order to best prepare for a potential cybersecurity examination by OCIE.