The Securities and Exchange Commission’s (the “SEC” or the “Commission”) Office of Compliance Inspections and Examinations (“OCIE”) announced in an April 15, 2014 Risk Alert (the “Alert”) that it will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on areas related to cybersecurity.1 This is consistent with recent indications, from both individual commissioners and the staff, that emphasize the importance of cybersecurity to the financial sector. Information security has been identified as one of OCIE’s “most significant initiatives across the entire N[ational] E[xam] P[rogram].”2 Just last month, the Commission sponsored a roundtable focused on cybersecurity during which Commission Chair Mary Jo White indicated that cybersecurity threats are “of extraordinary and long-term seriousness.”3 Commissioner Luis Aguilar remarked at the roundtable that “the increased pervasiveness and seriousness of the cybersecurity threat raises questions about whether more should be done to ensure the proper functioning of the capital markets and the protection of investors.”4 This newly announced cybersecurity-focused examination initiative further demonstrates that the Commission’s staff is ready to take action. Financial sector compliance professionals would be well advised to do the same.
Data Privacy and Cybersecurity Regulation: An Evolving Mosaic
Statutes and regulations at both the state and federal levels impose an array of data privacy-related duties on industry participants. Most prominently, Regulation S-P provides that “[e]very broker, dealer, and investment company, and every investment adviser registered with the [SEC] must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”5 Regulation S-P requires that these policies and procedures be “reasonably designed” to (i) “[i]nsure the security and confidentiality of customer records and information;” (ii) “[p]rotect against any anticipated threats or hazards to the security or integrity of customer records and information;” and (iii) “[p]rotect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.”
Last year, Regulation S-ID (the “Red Flags Rules”) added new requirements to the mix.6 As discussed in a previous OnPoint, the Red Flags Rules require entities covered thereby to develop and implement a written, board-approved program that will identify and detect the warnings signs – or “red flags” – of identity theft.7
New SEC Staff Guidance Provides Added Clarity at the Federal Level
Up until early April, SEC staff guidance regarding data privacy and cybersecurity preparedness had been broadly presented. But the Alert provides SEC staff guidance on a much more granular and task-specific level. Beyond the SEC staff's recent notice to the industry that examinations on the issue are imminent, the Alert provides a sample set of 28 information requests that OCIE “may use in conducting examinations of registered entities regarding cybersecurity matters.”8 These sample requests are “intended to empower compliance professionals in the industry with questions and tools they can use to assess their firms’ level of preparedness[.]” The list sheds a much needed light on the depth of compliance readiness that is expected.
OCIE’s sample set of examination inquiries focuses on a firm’s ability to:
(i) self-identify its own cybersecurity risks;
(ii) protect its networks;
(iii) ensure secure remote access and transfer requests;
(iv) safeguard client information from third parties (including those who have been granted access, such as vendors and business partners);
(v) detect unauthorized activity;
(vi) recover from an adverse cybersecurity event;
(vii) appropriately monitor and respond to new cybersecurity regulations; and
(viii) adapt to the evolving cybersecurity landscape by determining its own set of best practices.
These inquiries focus on a firm’s own governance and management of its cybersecurity risk through targeted policies, procedures, self-monitoring, and self-oversight. The Alert recognizes that this may include assistance from outside vendors or business partners.
Additionally, firms subject to these regulations should note that the Alert provides a non-exhaustive list of where an inquiry may be focused.9 The set of inquiries actually posed to any particular firm may (and with all likelihood will) be tailored to that firm’s risk profile.
What Happens Now: How to Prepare for a Possible OCIE Examination
In light of this announcement, industry compliance professionals should take action. Even if a firm already has data privacy and cybersecurity policies in place, this announcement represents an opportunity to evaluate the completeness and effectiveness of these policies. Notably, the inquiries focus not only on whether policies are in place, but also whether they have proved effective, when certain tasks were last completed, and how frequently they occur.
Financial firms should make a plan that includes the following:
Involve senior management and ensure appropriate board approval.
Document the relevant roles and responsibilities.
Ensure that there is awareness of these issues at all levels.
Read the Alert and understand the firm’s duties.
Understand which regulations apply to your firm.
Know how the firm would respond to each inquiry if examined.
Take steps to analyze what may create cybersecurity risk for the firm.10
Evaluate and re-evaluate your own set of risks.
Learn whether policies are being followed.
Discover the firm’s vulnerabilities.
Recognize that if your firm faces a risk, it’s likely a risk for other firms too. The more widespread a risk, the more likely it is to draw regulatory attention.
Become familiar with relevant industry standards.
Take action to address risks and vulnerabilities.
Update the firm’s policies. Recognize that the risks in this area are always evolving. The way firms address these risks should evolve accordingly.
Create and keep a record of how the firm addressed these issues.
Understand the firm’s disclosure obligations.
Plan the firm’s next risk assessment.
Consider Contributing to the SEC’s Understanding of Industry Cybersecurity Risks
In addition to signaling an increased focus on cybersecurity regulatory compliance, the Alert demonstrates the SEC staff’s willingness to engage in a meaningful dialogue with the industry. Indeed, one sample question inquires as to “[w]hat . . . the [f]irm presently consider[s] to be its three most serious cybersecurity risks, and why[.]”11 Another question encourages the firm to submit information that will contribute to the SEC’s evaluation of a firm’s specific “cybersecurity posture” or to that of the securities industry in general. In-house compliance professionals should consider whether it is appropriate for their firms to contribute to this conversation.
The Commissioner statements at the SEC roundtable, and the OCIE examinations initiative summarized in the Alert, further establish that cybersecurity is on the SEC’s radar. OCIE presents this list of sample inquiries as a way for firms to understand their obligations. The Alert provides an opportunity to take stock of a firm’s current efforts in this area. Registered advisers and broker-dealers should take the opportunity to prepare for a potential examination focused on cybersecurity. Other financial sector organizations should consider doing the same. The review should involve a systematic, objective look at where the firm stands and consideration of meaningful steps to comply with these ever-evolving compliance obligations.