Mary Jo White, SEC chair
Cyber-security exams are coming for 50 registered broker-dealers and registered investment advisers as the SEC’s Office of Compliance Inspections and Examinations (OCIE) takes steps to help firms better protect themselves from cyber-attacks.
To help compliance professionals assess levels of preparedness against cyber-attacks, the OCIE has issued a seven-page checklist intended to bolster firms’ readiness and to be used to assess cyber-security during routine examinations by the SEC, officials say.
“As part of this initiative,” OCIE officials say in a National Exam Risk Alert from April 15, “OCIE will conduct examinations of more than 50 registered broker-dealers and registered investment advisers focused on the following: the entity’s cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.”
The cyber-security initiative follows the Cybersecurity Roundtable, held March 26, when SEC Chair Mary Jo White urged stronger “partnerships between the government and private sector” and actions to address cyber threats.
The OCIE examinations are intended to help identify areas where the SEC and the industry can jointly protect investors and capital markets from cybersecurity threats, officials say.
SEC officials say the checklist is not definitive and that some of the questions and areas of concern were derived from the “Framework for Improving Critical Infrastructure Cybersecurity,” dated Feb. 12, 2014, by the National Institute of Standards and Technology (NIST).
The checklist covers:
- Identification of Risks/Cybersecurity Governance
- Protection of Firm Networks and Information
- Risks Associated With Remote Customer Access and Funds Transfer Requests
- Risks Associated With Vendors and Other Third Parties
- Detection of Unauthorized Activity
“This document should not be considered all inclusive of the information that OCIE may request,” officials say. “Accordingly, OCIE will alter its requests for information as it considers the specific circumstances presented by each firm’s particular systems or information technology environment.”
Need a Reprint?
Leave a Reply