SEC Tells Investment Advisers and Private Equity Firms to Prepare for Cyber Attacks

more+
less-

As part of its “Cybersecurity Initiative,” the SEC’s Office of Compliance Inspections and Examinations (OCIE) has sent extensive cybersecurity document requests to more than 50 registered broker-dealers and registered investment advisers.  Furthermore, the OCIE stated that its examinations are intended to provide to others in the industry “questions and tools they can use to assess their firms’ level of preparedness,” thereby sending the message to all registered firms that they should be taking steps now to assess and upgrade their data security infrastructure, policies and procedures.

So what actions should broker-dealers and investment advisers be taking?  The sample document request gives some indication of the SEC’s expectations for cybersecurity preparedness and provides a roadmap for registered firms. Some examples include:

  • What actions are taken to identify cyber risks, such as mapping network resources, cataloguing external connections to the network, and inventorying devices and software, and the dates the actions were last taken?
  • What actions are taken to detect unauthorized activity on the network and devices, and when and by whom the actions are carried out?
  • What types of periodic risk assessments are conducted and the dates the assessments were last conducted?
  • A description of the firm’s cybersecurity insurance coverage and, if applicable, the firm’s claims history.
  • A description of security measures relating to remote customer access and funds transfer requests.
  • A description of risk assessments of vendors and business partners.
  • Detailed information regarding any incidents since January 1, 2013, such as detecting malware, unauthorized access to the network, denial of service attacks, fraudulent activity resulting from the compromise of a customer’s or vendor’s computer, and extortion attempts by persons threatening to impair or damage the network.

The OCIE is also requesting copies of each firm’s policies regarding a wide range of cybersecurity matters, including policies covering information security, business continuity after a breach, employee training, removable and mobile media (i.e., thumb drives and smart phones), data destruction, and cybersecurity incident response.

The SEC’s Risk Alert can be found here.

 

Topics:  Cyber Attacks, Cybersecurity, Investment Adviser, OCIE, Private Equity, SEC

Published In: Finance & Banking Updates, Privacy Updates, Science, Computers & Technology Updates, Securities Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thompson & Knight LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »