SEC Issues Update on 2015 Cybersecurity Examination Initiative

On September 15, 2015, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert providing additional guidance on key focus areas for round two of its cybersecurity examinations. Specifically OCIE stated exams will “involve more testing to assess implementation of firm procedures and controls.” The Commission intends to focus on the following areas as a means to collect information on cybersecurity-related controls and assess the controls in place at firms:

Governance and Risk Assessment: According to the Alert, OCIE may evaluate the governance and risk assessment process for areas including, but not limited to, access control, employee training, third-party/vendor management and IT systems management. Examiners also expect to see that assessments and associated policies are specific to a firm’s business.

Access Rights and Controls: OCIE warns that the lack of basic access controls and user management policies can result in unauthorized access to systems and information. Examiners may request details on how a firm manages user rights and what supporting technologies are in place.

A few internal security best practices we advise clients to keep in mind are: 1) maintain a strong password policy, 2) use multi-factor authentication, and 3) take control of company-sanctioned mobile devices.

Data Loss Prevention: For this control area OCIE covers two potential data breach weaknesses. The first is inadequate controls around patch management and systems configuration. In this area, examiners may question how security patches are prioritized and handled based on prioritization. The second area dives deeper into data loss prevention (DLP), asking firms how they monitor the flow of files and data, particularly large attachments or uploads.

Vendor Management: OCIE highlights the significant risk exposure third-party vendors and platforms can introduce to a firm and reinforces the importance of conducting adequate and regular due diligence. The Alert states that examiners may ask firms to outline how they evaluate, audit and access vendors and how that diligence links with the firm’s ongoing risk assessment process.

Training: The Alert reinforces that employees and vendors can unintentionally put a firm’s data at risk if proper training is not conduct. The reality is that a firm’s security strategy will only work if employees are properly trained on it.

The goal of an information security awareness program is not merely to educate employees on potential security threats and what they can do to prevent them. A larger goal should be to change the culture of your organization to focus on the importance of security and get buy-in from end users to serve as an added layer of defense against security threats.

Incident Response: OCIE examiners expect firms to have detailed written information security plans as well as incident response policies.

As outlined by Shelley Rosensweig/Haynes and Boone in her article Cybersecurity Risks and Implications for Investment Advisers, advisers should consider the following when implementing an Incident Response Plan: