Last week, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert announcing its Cybersecurity Initiative. What does this mean to broker-dealers and investment advisers and, even if you are not one of the “chosen 50,” what should your firm be doing? Read on…….
Through this initiative, the OCIE staff will conduct cybersecurity examination of approximately 50 broker-dealers and investment advisers. Notably, the Risk Alert includes a sample of the types of questions and information the OCIE staff would be requesting as part of these investigations. As noted by John Reed Stark, the SEC’s former chief of Internet enforcement and now a managing director at Stroz Friedberg: “[w]ith the public disclosure of this questionnaire, the SEC is giving up the surprise of one aspect of their exam program and opting to provide to SEC-registered financial firms a rare chance to prepare.”
Even though a majority of broker-dealers and investment advisers won’t end up being subject to this initial cybersecurity examination, this extensive list of questions and requests serves as a valuable resource given that it reflects the OCIE staff’s latest thinking – thanks to the recent Cybersecurity Roundtable – as to the types of risks firms should be thinking about as well as some of the precautions that they should probably take.
While firms should review all of the questions and information requests attached to the Cybersecurity Initiative risk alert, below are five (maybe not so obvious) lessons to be gleaned.
1. Got policies?
The information requests seek the identification and production of numerous policies – everything from a basic information security policy to incident report policies, policies for verifying customer emails, policies and procedures for third-party or vendor cybersecurity risk, etc. While there may not be any legal requirements (yet) for broker-dealers or investment advisers to have all of these policies, the fact that the Staff is requesting copies of these policies sends a pretty strong signal that firms should seriously consider adopting such policies or at least have a strong justification as to why such a policy is not needed. Remember, if you are in Massachusetts, or have the personal information of a Massachusetts resident, this has been required of you by law since 2010.
2. Got coverage?
The OCIE staff is interested in whether firms have maintained insurance to cover losses and expenses associated with cybersecurity incidents. This should serve as a reminder that firms need to look into possible coverage for this risk if current policies do not provide for it. This is especially important given the increased number of cybersecurity breaches, and the escalating costs and expenses for remediating such breaches.
3. Don’t ignore internal risks.
While many of the recent headlines have concerned cyber-attacks or breaches from external hackers, the OCIE information requests also focus on possible internal breaches resulting from employees accessing data without authorization, or otherwise misappropriating or misusing data. So while a lot of attention has been paid to protecting electronic systems from external threats, it is still important to keep in mind (and guard against) the many instances of misappropriation or misuse that originate internally.
4. Don’t forget to use the recycle bin (lawfully).
One information request seeks production of a firm’s “written data destruction policy.” This serves as a good reminder that one way to minimize data breaches or other risks associated with keeping too much data is to have and administer a policy for the lawful destruction of data that is no longer necessary to keep for any legal reason or business purposes. In fact, any policies governing the destruction of electronic information should be consistent with any policy concerning the management and destruction of hard copy documents. And, as with #1, at least one state (Massachusetts) already requires this by law.
5. Remember Red Flags.
As most broker-dealers and investment advisers know, the SEC’s Identity Theft Red Flags Rules became effective in 2013. And as part of the Cybersecurity Initiative, the OCIE Staff expects that a firm’s written supervisory procedures now reflect these rules.