SEC to Conduct Cybersecurity Examinations of Registered Investment Advisers and Broker-Dealers


On April 15, 2014, the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (SEC) announced in a risk alert that it will conduct cybersecurity examinations of over 50 registered investment advisers and broker-dealers.[1] The examinations are part of OCIE's initiative to assess cybersecurity preparedness in the securities industry and obtain information on the industry's recent experiences with certain types of cyber threats. This latest announcement affirms the SEC's increased interest in the cybersecurity preparedness of regulated firms, a concern which has been identified as an examination priority for 2014 and was the subject of an SEC roundtable held on March 26, 2014.[2]

Cybersecurity Examinations

To assist firms in their compliance efforts regarding cybersecurity preparedness, OCIE has included a sample document request in its risk alert. Based on these materials, it appears that cybersecurity examinations will target the following areas:

  • Cybersecurity governance and identification and assessment of cybersecurity risks;

  • Protection of networks and information;

  • Risks associated with remote customer access and funds transfer requests;

  • Risks associated with vendors and other third parties;

  • Detection of unauthorized activity; and

  • Experiences with certain cybersecurity threats.

Registered investment advisers and broker-dealers should note that the risk alert and sample document request do not purport to be all-inclusive and expect that OCIE will tailor its examination based on the specific circumstances of the firm. In addition, the risk alert does not specify when examinations are expected to begin and how much advance notice a firm selected for examination will receive.

Action Items

Registered investment advisers and broker-dealers, regardless of whether they are selected for examination, should assess their cybersecurity infrastructure and policies in light of the items covered in the risk alert and the sample document request. In addition, firms should develop a plan for regularly testing the adequacy of their cybersecurity infrastructure and policies. Firms should implement periodic training for firm personnel and, if applicable, third party vendors and business partners authorized to access firm networks. Firms should also document any compliance measures taken as well as cybersecurity threats encountered by them (including any remedial steps undertaken in response to such threats).

If you have any questions regarding OCIE's cybersecurity initiative and examinations, please feel free to contact your usual contact at Proskauer or any of the Proskauer attorneys listed in this alert.

[1] A copy of the April 15, 2014 risk alert can be obtained here.

[2] A list of OCIE's Examination Priorities for 2014 is available here. For more information on the recent cybersecurity roundtable, please visit the SEC's website.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Proskauer Rose LLP | Attorney Advertising

Written by:


Proskauer Rose LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.