The SEC’s Cybersecurity Assessment: A Roadmap for Companies Nationwide

Akin Gump Strauss Hauer & Feld LLP

The U.S. Securities & Exchange Commission (SEC) provided cybersecurity guidance to the securities industry in the form of a Risk Alert issued by the SEC’s Office of Compliance Inspections and Examinations (OCIE) on April 15, 2014. The guidance, which is neither a rule nor a regulation, outlines a series of questions that the SEC is sending to approximately 50 registered broker-dealers and investment advisers. According to one SEC official, the OCIE decided to issue a Risk Alert and publish the questions in an attempt to encourage widespread diligence on cybersecurity. The Risk Alert notes that it “is intended to empower compliance professionals in the industry with questions and tools they can use to assess their firms’ level of preparedness, regardless of whether they are included in OCIE’s examinations.” Although the Risk Alert applies specifically to the securities industry, the questions will likely serve as a model for companies nationwide and provide a framework for discussing cybersecurity best practices.

The exam focuses on six key areas:

1. Identification of cybersecurity risks and corporate governance.

2. Protection of networks and information.

3. Risks associated with remote customer access and funds transfer requests.

4. Risks associated with vendors and other third parties.

5. Detection of unauthorized activity.

6. Experiences with certain cybersecurity threats and application of the Identity Theft Red Flag Rules.

The Risk Alert provides a seven-page appendix that details sample questions related to cybersecurity and data protection risk. Many of the questions in the Risk Alert appendix track language outlined in the Cybersecurity Framework released by the Department of Commerce’s National Institute of Standards and Technology in February of this year. The Risk Alert is the first clear application of the NIST guidelines at the SEC level. The Risk Alert also appears to encourage information sharing, specifically asking whether any cyber events were shared with law enforcement, FinCEN, FINRA, any state or federal regulatory agency, or any industry-specific organization. The questions related to experiences with certain cybersecurity threats should be reviewed by any SEC-reporting company, as it appears to outline the types of threats that the SEC may consider important in disclosing in a company’s risk factors.

The SEC’s release of the sample exam questions sends a clear signal to registered securities professionals: analyze your cybersecurity risk management process and make any modifications before the SEC comes knocking on your door. The exam results will inform any future rulemaking, which, after the SEC’s Cybersecurity Roundtable, seems likely. And although the Risk Alert specifically applies to registered broker dealers and investment advisers, any organization would benefit from reviewing the 28-question list and determining areas for improvement.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akin Gump Strauss Hauer & Feld LLP | Attorney Advertising

Written by:

Akin Gump Strauss Hauer & Feld LLP

Akin Gump Strauss Hauer & Feld LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.