SEC Signals Increased Attention to Cybersecurity Preparedness


As part of its increased attention to cybersecurity preparedness, the U.S. Securities and Exchange Commission's Office of Compliance Inspections and Examination (OCIE) recently announced it will perform cybersecurity preparedness examinations on more than 50 registered investment advisers and broker-dealers.

The SEC's decision underpins concerns raised by SEC Chair Mary White in her opening statement at the SEC Roundtable on Cybersecurity in March 2014. The growing security threat to the U.S. financial system and its institutions in light of the Target breach and persistent attempts by hackers to gain access to U.S. and global financial infrastructure were among the concerns expressed. In his follow-on statements during the Roundtable, SEC Commissioner Luis Aguilar noted a 2012 global survey of securities exchanges in which 89% identified cyber-crime as a potential systemic risk and 53% reported experiencing a cyber-attack in the previous year. The SEC has determined that investment advisers, broker-dealers, and fund managers provide a "back door" through which hackers can gain access to sensitive financial information about U.S. and global financial architecture and institutions. In the wake of these concerns, the SEC is likely to focus its examinations of registered investment advisers and broker-dealers on the following areas:

  • cybersecurity governance policies and practices
  • protection of networks and information
  • identification of cybersecurity risks
  • funds transfer requests
  • remote customer access
  • third party systems
  • means for detecting unauthorized access and activity
  • past performance in response to cybersecurity threats

As part of its document requests to advisers and broker-dealers, the OCIE will likely seek detailed information regarding:

  • the firm's practices for detecting unauthorized network and device activity and the key persons responsible carrying out such practices
  • whether the firm has had cybersecurity breaches since January 1, 2013, and the nature, duration, frequency, and severity of such events and related remediation efforts by the firm 
  • the firm's third party contractors and business partners who conduct remote maintenance and cybersecurity risk assessments on such vendors and partners
  • on-line account access, customer authentication procedures, including PINs, deletion software, and information given to customers regarding cybersecurity threats

While threats and actual breaches remain likely to occur, the  SEC is endeavoring to ensure that registered investment advisors and broker-dealers are acting proactively to staunch risks to their cybersecurity architecture, investors, and customers.

In order to prepare for such examinations, registered investment advisers and broker-dealers should undertake a thorough review of existing cybersecurity policies and procedures, including related supervisory, compliance, and risk management systems. In addition, investment advisers and broker-dealers should take steps now to address and/or to strengthen cybersecurity policies, procedures, and systems and to collate all relevant documentation evidencing such compliance in order to timely and thoroughly respond to OCIE document requests.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akerman LLP | Attorney Advertising

Written by:


Akerman LLP on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.