Last month, the Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) formally announced its cybersecurity initiative in a Risk Alert. The initiative followed up on OCIE’s announced prioritization of cybersecurity preparedness as part of its 2014 Examination Priorities. The initiative is also timely because the general public is becoming more conscious of cybersecurity risks and its dangers as they learn of major breaches at Target Corp., Neiman Marcus, Michaels Stores Inc., and other companies. The security of personal information is even more important at financial services companies, which often have a large amount of sensitive personal information about their customers.
The OCIE’s approach is refreshingly proactive: “OCIE’s cybersecurity initiative is designed to assess cybersecurity preparedness in the securities industry and to obtain information about the industry’s recent experiences with certain types of cyber threats.” Further, the areas of cybersecurity assessment are quite broad and they cover “the entity’s cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.”
Importantly, the OCIE examination is detailed and specific about ensuring the adequacy and efficacy of cybersecurity measures. For example, the list of questions regarding identification of cybersecurity risks requires exact dates and times and is prefaced with “please provide the month and year in which the noted action was last taken; the frequency with which such practices are conducted; the group with responsibility for conducting the practice…”.
Further, the OCIE examination questions require naming the person(s) conducting the cybersecurity measures and when those measures were last checked or implemented. For example, the questions on identification of risks/cybersecurity governance include:
Who (business group/title) conducts periodic risk assessments to identify cybersecurity threats, vulnerabilities, and potential business consequences, and in what month and year was the most recent assessment completed?
Please describe any findings from the most recent risk assessment that were deemed to be potentially moderate or high risk and have not yet been fully remediated.
Similarly, the questions regarding a written cybersecurity incident response policy seeks a copy of the policy, the year it was most recently updated, whether there are tests to assess the policy, who conducts the tests, and when and by whom the last test was conducted. Likewise, the questions on event detection processes seek the month and year of the most recent test.
The examination questions also seek a summary of any actual cybersecurity incidents, the services affected, nature of the breach, the availability of services during the breach, and number of other questions about each cybersecurity incident. Notably, although the examination requires companies to provide a large amount of information, the SEC explicitly issued a disclaimer that the “factors are not exhaustive, nor will they constitute a safe harbor.”
Nonetheless, it is good to see the SEC take a proactive approach to the cybersecurity risks posed to financial institutions. Hopefully, this will flow down to other companies because cybersecurity is a hot-button topic that is very concerning to customers and unlikely to be fully resolved soon. With cooperation between government agencies and the private industry, we can be hopeful that cybersecurity risks can be mitigated. As SEC Chair White has noted, there is a “compelling need for stronger partnerships between the government and private sector” to address cybersecurity threats.