SEC Issues Cybersecurity Risk Alert


On April 15th, the SEC's Office of Compliance Inspections and Examinations ("OCIE") issued a Risk Alert concerning its initiative to assess the cybersecurity preparedness of the securities industry. The Risk Alert states that OCIE will conduct examinations of more than 50 registered broker-dealers and investment advisers in order to identify areas where the SEC and the industry "can work together to protect investors and our capital markets from cybersecurity threats."

To facilitate compliance, the Risk Alert includes a sample information request ("Request") that outlines the following areas where OCIE sees risk and will focus its examinations:

  1. Identification of Risks/Cybersecurity Governance
  2. Protection of Firm Networks and Information
  3. Risks Associated with Remote Customer Access and Funds Transfer Requests
  4. Risks Associated with Vendors and Other Third Parties
  5. Detection of Unauthorized Activity
  6. Experiences with Certain Cybersecurity Threats.

The Request provides a detailed roadmap of factors that firms may wish to consider in assessing their supervisory, compliance, and risk management systems. The 28 factors listed include several questions relating to:

  • network security,
  • physical security,
  • periodic cybersecurity risk assessments,
  • contracting with and monitoring vendors and other third parties,
  • cybersecurity roles and responsibilities for employees and managers, and
  • cybersecurity insurance. 

The Risk Alert follows closely on the heels of the SEC's Cybersecurity Roundtable held on March 26, during which Chair Mary Jo White stated that the SEC's "formal jurisdiction over cybersecurity is directly focused on the integrity of our market systems, customer data protection, and disclosure of material information."  Although the Risk Alert focuses on registered broker-dealers and investment advisers, other SEC-regulated entities that maintain client accounts or directly process customer transactions on an application-way basis may find it prudent to review the factors identified in the Risk Alert and keep a close eye on how these examinations play out in the coming year.

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Carlton Fields Jorden Burt | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.