SEC Staff to Conduct Broker-Dealer and Investment Adviser Examinations Focused on Cybersecurity

by Dechert LLP
Contact

The Securities and Exchange Commission’s (the “SEC” or the “Commission”) Office of Compliance Inspections and Examinations (“OCIE”) announced in an April 15, 2014 Risk Alert (the “Alert”) that it will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on areas related to cybersecurity.This is consistent with recent indications, from both individual commissioners and the staff, that emphasize the importance of cybersecurity to the financial sector. Information security has been identified as one of OCIE’s “most significant initiatives across the entire N[ational] E[xam] P[rogram].”Just last month, the Commission sponsored a roundtable focused on cybersecurity during which Commission Chair Mary Jo White indicated that cybersecurity threats are “of extraordinary and long-term seriousness.”3 Commissioner Luis Aguilar remarked at the roundtable that “the increased pervasiveness and seriousness of the cybersecurity threat raises questions about whether more should be done to ensure the proper functioning of the capital markets and the protection of investors.”4 This newly announced cybersecurity-focused examination initiative further demonstrates that the Commission’s staff is ready to take action. Financial sector compliance professionals would be well advised to do the same.

Data Privacy and Cybersecurity Regulation: An Evolving Mosaic

Statutes and regulations at both the state and federal levels impose an array of data privacy-related duties on industry participants. Most prominently, Regulation S-P provides that “[e]very broker, dealer, and investment company, and every investment adviser registered with the [SEC] must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”5 Regulation S-P requires that these policies and procedures be “reasonably designed” to (i) “[i]nsure the security and confidentiality of customer records and information;” (ii) “[p]rotect against any anticipated threats or hazards to the security or integrity of customer records and information;” and (iii) “[p]rotect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.”

Last year, Regulation S-ID (the “Red Flags Rules”) added new requirements to the mix.6 As discussed in a previous OnPoint, the Red Flags Rules require entities covered thereby to develop and implement a written, board-approved program that will identify and detect the warnings signs – or “red flags” – of identity theft.7

New SEC Staff Guidance Provides Added Clarity at the Federal Level

Up until early April, SEC staff guidance regarding data privacy and cybersecurity preparedness had been broadly presented. But the Alert provides SEC staff guidance on a much more granular and task-specific level. Beyond the SEC staff's recent notice to the industry that examinations on the issue are imminent, the Alert provides a sample set of 28 information requests that OCIE “may use in conducting examinations of registered entities regarding cybersecurity matters.”8 These sample requests are “intended to empower compliance professionals in the industry with questions and tools they can use to assess their firms’ level of preparedness[.]” The list sheds a much needed light on the depth of compliance readiness that is expected.

OCIE’s sample set of examination inquiries focuses on a firm’s ability to:

(i) self-identify its own cybersecurity risks;

(ii) protect its networks;

(iii) ensure secure remote access and transfer requests;

(iv) safeguard client information from third parties (including those who have been granted access, such as vendors and business partners);

(v) detect unauthorized activity;

(vi) recover from an adverse cybersecurity event;

(vii) appropriately monitor and respond to new cybersecurity regulations; and

(viii) adapt to the evolving cybersecurity landscape by determining its own set of best practices. 

These inquiries focus on a firm’s own governance and management of its cybersecurity risk through targeted policies, procedures, self-monitoring, and self-oversight. The Alert recognizes that this may include assistance from outside vendors or business partners. 

Additionally, firms subject to these regulations should note that the Alert provides a non-exhaustive list of where an inquiry may be focused.9 The set of inquiries actually posed to any particular firm may (and with all likelihood will) be tailored to that firm’s risk profile.

What Happens Now: How to Prepare for a Possible OCIE Examination

In light of this announcement, industry compliance professionals should take action. Even if a firm already has data privacy and cybersecurity policies in place, this announcement represents an opportunity to evaluate the completeness and effectiveness of these policies. Notably, the inquiries focus not only on whether policies are in place, but also whether they have proved effective, when certain tasks were last completed, and how frequently they occur.

Financial firms should make a plan that includes the following:

  • Assign responsibility.
    • Involve senior management and ensure appropriate board approval.
    • Document the relevant roles and responsibilities.
    • Ensure that there is awareness of these issues at all levels.
  • Read the Alert and understand the firm’s duties.
    • Understand which regulations apply to your firm.
    • Know how the firm would respond to each inquiry if examined.
    • Take steps to analyze what may create cybersecurity risk for the firm.10
  • Evaluate and re-evaluate your own set of risks.
    • Learn whether policies are being followed.
    • Discover the firm’s vulnerabilities.
    • Recognize that if your firm faces a risk, it’s likely a risk for other firms too. The more widespread a risk, the more likely it is to draw regulatory attention.
    • Become familiar with relevant industry standards.
  • Take action to address risks and vulnerabilities.
    • Update the firm’s policies. Recognize that the risks in this area are always evolving. The way firms address these risks should evolve accordingly.
    • Create and keep a record of how the firm addressed these issues.
    • Understand the firm’s disclosure obligations.
  • Plan the firm’s next risk assessment.

Consider Contributing to the SEC’s Understanding of Industry Cybersecurity Risks

In addition to signaling an increased focus on cybersecurity regulatory compliance, the Alert demonstrates the SEC staff’s willingness to engage in a meaningful dialogue with the industry. Indeed, one sample question inquires as to “[w]hat . . . the [f]irm presently consider[s] to be its three most serious cybersecurity risks, and why[.]”11 Another question encourages the firm to submit information that will contribute to the SEC’s evaluation of a firm’s specific “cybersecurity posture” or to that of the securities industry in general. In-house compliance professionals should consider whether it is appropriate for their firms to contribute to this conversation. 

Conclusion

The Commissioner statements at the SEC roundtable, and the OCIE examinations initiative summarized in the Alert, further establish that cybersecurity is on the SEC’s radar. OCIE presents this list of sample inquiries as a way for firms to understand their obligations. The Alert provides an opportunity to take stock of a firm’s current efforts in this area. Registered advisers and broker-dealers should take the opportunity to prepare for a potential examination focused on cybersecurity. Other financial sector organizations should consider doing the same. The review should involve a systematic, objective look at where the firm stands and consideration of meaningful steps to comply with these ever-evolving compliance obligations.

Footnotes

1

 

2

 

3

 
Chair Mary Jo White, “Opening Statement at SEC Roundtable on Cybersecurity” (March 26, 2014).

4

 
Commissioner Luis A. Aguilar, “The Commission’s Role in Addressing the Growing Cyber-Threat,” Statement at SEC Roundtable on Cybersecurity (March 26, 2014).

5

 
17 CFR § 248.30(a) (emphasis added).

6

 
17 CFR § 248.201.

7

 

8

 

9

 
As the Alert notes, “some of the factors discussed . . . reflect existing regulatory requirements [and] are not intended to alter such requirements.” Additionally, “future changes in laws or regulations may supersede some of the factors or issues raised [in the Alert].”

10

 
The Alert “should not be considered all inclusive of the information OCIE may request.”

11

 

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dechert LLP | Attorney Advertising

Written by:

Dechert LLP
Contact
more
less

Dechert LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.