SEC Tells Investment Advisers and Private Equity Firms to Prepare for Cyber Attacks


As part of its “Cybersecurity Initiative,” the SEC’s Office of Compliance Inspections and Examinations (OCIE) has sent extensive cybersecurity document requests to more than 50 registered broker-dealers and registered investment advisers.  Furthermore, the OCIE stated that its examinations are intended to provide to others in the industry “questions and tools they can use to assess their firms’ level of preparedness,” thereby sending the message to all registered firms that they should be taking steps now to assess and upgrade their data security infrastructure, policies and procedures.

So what actions should broker-dealers and investment advisers be taking?  The sample document request gives some indication of the SEC’s expectations for cybersecurity preparedness and provides a roadmap for registered firms. Some examples include:

  • What actions are taken to identify cyber risks, such as mapping network resources, cataloguing external connections to the network, and inventorying devices and software, and the dates the actions were last taken?
  • What actions are taken to detect unauthorized activity on the network and devices, and when and by whom the actions are carried out?
  • What types of periodic risk assessments are conducted and the dates the assessments were last conducted?
  • A description of the firm’s cybersecurity insurance coverage and, if applicable, the firm’s claims history.
  • A description of security measures relating to remote customer access and funds transfer requests.
  • A description of risk assessments of vendors and business partners.
  • Detailed information regarding any incidents since January 1, 2013, such as detecting malware, unauthorized access to the network, denial of service attacks, fraudulent activity resulting from the compromise of a customer’s or vendor’s computer, and extortion attempts by persons threatening to impair or damage the network.

The OCIE is also requesting copies of each firm’s policies regarding a wide range of cybersecurity matters, including policies covering information security, business continuity after a breach, employee training, removable and mobile media (i.e., thumb drives and smart phones), data destruction, and cybersecurity incident response.

The SEC’s Risk Alert can be found here.


Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thompson & Knight LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.