On April 14, 2014, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Cybersecurity Initiative Risk Alert (“Risk Alert”), further highlighting the importance being placed on cybersecurity preparedness by the Securities and Exchange Commission (“SEC”). The Risk Alert is the latest in a series of public statements and guidance on cybersecurity issues coming from the SEC and other financial markets regulators in 2014. Earlier this year, OCIE included cybersecurity preparedness in its 2014 National Examination Priorities, and the Financial Industry Regulatory Authority (“FINRA”) made a similar priorities announcement and issued cybersecurity sweep letters. The U.S. Commodity Futures Trading Commission (“CFTC”) weighed in with cybersecurity guidance as well. The comments of both SEC Chair Mary Jo White and Commissioner Louis Aguilar at the SEC’s recent Cybersecurity Roundtable made clear that financial institutions and regulated firms must be proactive in developing and maintaining effective information security programs. What that program should look like has been brought into sharp focus with the release of the Risk Alert.
The Risk Alert is essentially a “take home test” for any financial institution or regulated firm preparing for an OCIE examination, or conducting internal testing to strengthen its security program. While the Roundtable discussions addressed the “why” and “what” of cybersecurity in the securities industry and financial markets, the Risk Alert provides an outline of “how” OCIE is going to assess cybersecurity preparedness in the securities industry, and how it will obtain information about the industry’s recent experiences with certain types of cyber threats. OCIE will conduct examinations of more than 50 registered broker-dealers and registered investment advisors in the areas of cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with third parties, detection of unauthorized activity, and experiences with “certain cybersecurity threats” (which seems to translate to Distributed Denial of Service attacks).
The real eye-opener in the Risk Alert is the attached seven-page sample document request consisting of 28 comprehensive questions for registered entities covering information technology asset management (including network maps, logging capability, and destruction or disposition of equipment); information security organization and policies (and whether the policies used cybersecurity risk management standards such as those published by the National Institute of Standards and Technology or the International Standards Organization); risk assessments; access management; removable media and data loss prevention; encryption; incident response planning; system and data backup and disaster recovery/business continuity; and cyber insurance. The Risk Alert addresses threats associated with remote customer access and fund transfer requests. The questions include the use of authentication, detection of anomalous transaction requests and procedures for verifying requests, and information provided to customers regarding cybersecurity risks or security guarantees. There is a request for information regarding the firm’s implementation of the joint CFTC/SEC Identify Theft Red Flags Rules that became effective in 2013.
As seen in guidance from other financial regulators, the Risk Alert addresses third-party relationships, including vendor assessment policies, practices and questions, standard contract language relating to cybersecurity risk, training, control of remote network access for maintenance, and the extent to which a firm assesses the “segregation of sensitive network resources from resources accessible to third parties” (i.e., the “Target Stores problem”). The assessment questions discuss detection of unauthorized activity in the network, including rogue and non-permitted device detection, event correlation, network monitoring, malware detection, alert thresholds, penetration testing and vulnerability scans, and implementation of lessons learned from events. The substance of the information OCIE seeks through these questions is consistent with FINRA’s requests in the FINRA sweep letters it issued earlier this year. However, while the Risk Alert includes questions related to physical security, that is absent from the FINRA letter. Conversely, the FINRA letter requests information about internal communications or reporting to executive management or the board of directors, as well as information-sharing externally within the industry or from private-sector sources.
Last, but certainly not least, OCIE asks a series of questions relating to disclosure, seeking specifics as to reporting cybersecurity events and corporate assessment of cybersecurity risk and best practices. These questions appear to be designed to elicit information sought by Commissioner Aguilar at the SEC Roundtable regarding whether the SEC’s Division of Corporation Finance 2011 Disclosure Guidance is working or should be revised. While the questions seem to be carefully crafted to limit responsive information to only significant events, the data that is obtained from responding firms should be carefully evaluated to ensure incorrect or valid but irrelevant conclusions do not affect disclosure considerations. For example, critical network resources could be impacted by software or hardware malfunctions having nothing to do with cybersecurity issues and may not, in fact, adversely impact service delivery because of redundancy or the availability of backup systems.
Those SEC-regulated entities that are affiliated with national banks should have many, if not all, of the programs described in the Risk Alert questions already in place, given the comprehensive compliance programs required by the Federal Financial Institutions Examination Council. The SEC will most likely get its best assessment of the state of cybersecurity in the securities industry through its interaction with small and medium-sized firms. This analysis will presumably result in updated disclosure guidance and possibly another review of the proposed revision to Regulation S-P. Whatever the result, all firms that are regulated by the SEC are now on notice that they must be able to answer the basic questions of whether they have an information security program, employee training, event response process, business continuity plan, and some level of network monitoring and access management. While the nature and extent of these programs will vary with the size and complexity of the firm and the cybersecurity risk presented, the basic elements have been identified in these questions.