The SEC’s Cybersecurity Assessment: A Roadmap for Companies Nationwide


The U.S. Securities & Exchange Commission (SEC) provided cybersecurity guidance to the securities industry in the form of a Risk Alert issued by the SEC’s Office of Compliance Inspections and Examinations (OCIE) on April 15, 2014. The guidance, which is neither a rule nor a regulation, outlines a series of questions that the SEC is sending to approximately 50 registered broker-dealers and investment advisers. According to one SEC official, the OCIE decided to issue a Risk Alert and publish the questions in an attempt to encourage widespread diligence on cybersecurity. The Risk Alert notes that it “is intended to empower compliance professionals in the industry with questions and tools they can use to assess their firms’ level of preparedness, regardless of whether they are included in OCIE’s examinations.” Although the Risk Alert applies specifically to the securities industry, the questions will likely serve as a model for companies nationwide and provide a framework for discussing cybersecurity best practices.

The exam focuses on six key areas:

1. Identification of cybersecurity risks and corporate governance.

2. Protection of networks and information.

3. Risks associated with remote customer access and funds transfer requests.

4. Risks associated with vendors and other third parties.

5. Detection of unauthorized activity.

6. Experiences with certain cybersecurity threats and application of the Identity Theft Red Flag Rules.

The Risk Alert provides a seven-page appendix that details sample questions related to cybersecurity and data protection risk. Many of the questions in the Risk Alert appendix track language outlined in the Cybersecurity Framework released by the Department of Commerce’s National Institute of Standards and Technology in February of this year. The Risk Alert is the first clear application of the NIST guidelines at the SEC level. The Risk Alert also appears to encourage information sharing, specifically asking whether any cyber events were shared with law enforcement, FinCEN, FINRA, any state or federal regulatory agency, or any industry-specific organization. The questions related to experiences with certain cybersecurity threats should be reviewed by any SEC-reporting company, as it appears to outline the types of threats that the SEC may consider important in disclosing in a company’s risk factors.

The SEC’s release of the sample exam questions sends a clear signal to registered securities professionals: analyze your cybersecurity risk management process and make any modifications before the SEC comes knocking on your door. The exam results will inform any future rulemaking, which, after the SEC’s Cybersecurity Roundtable, seems likely. And although the Risk Alert specifically applies to registered broker dealers and investment advisers, any organization would benefit from reviewing the 28-question list and determining areas for improvement.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akin Gump Strauss Hauer & Feld LLP | Attorney Advertising

Written by:


Akin Gump Strauss Hauer & Feld LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.