By Yin Wilczek
April 16 --The Securities and Exchange Commission Office of Compliance Inspections and Examinations (OCIE) April 15 announced in a risk alert that it will examine more than 50 registered broker-dealers and investment advisers on cybersecurity preparedness.
The OCIE also released a sample request for information used in the initiative to help registrants in their compliance efforts. The release of the documentation is an “unusual” move for the commission, John Reed Stark, managing director of digital risk management company Stroz Friedberg LLC in Washington, and the founder and former chief of the SEC Enforcement Division Office of Internet Enforcement, told Bloomberg BNA April 16.
The exams, which follow through on the SEC's promise to examine cybersecurity at financial firms , will probe firms' cybersecurity governance, assessment of risks, network protection, remote customer access and the use of vendors and other third parties, the alert said.
“A regulatory cyberstorm is clearly brewing and its onslaught will have a dramatic impact upon how financial firms build, manage and protect their information and trading systems,” Stark said. Firms may have to “invent a new type of information technology security department that includes” platforms that can quickly respond to cyberthreats and the ability to report in real time the firms' technology-related compliance efforts and incident response measures, he said.
Other attorneys told Bloomberg BNA that the SEC is right to be concerned about registrants' cybersecurity readiness.
Although registrants may not pose as big a risk for breaches as large public companies, they do store clients' confidential information and some also have custody of customer assets. At a March SEC cybersecurity round table, industry representatives said the common cybersecurity incidents involving broker-dealers and investment advisers include hackers trying to gain access to client assets and accounts .
Stark commended the SEC for publicly releasing its examination module for the cybersecurity preparedness initiative. “With the public disclosure of this questionnaire, the commission is giving up the surprise” element for one aspect of its exam program in order to give registrants “a rare chance to prepare,” he said.
In preparing for the exam, firms should employ a “risk-based approach” to cybersecurity that is consistent with their risk management policies in other areas, he said. “It is a mistake to just reach for tactical solutions, like data loss prevention software, without knowing how to deploy it within sound policies,” he said.
“It's great” that the SEC is “providing a list of the request items because these issues will be important to firms,” including those that didn't receive the request for information, Brian Rubin, a Washington-based partner at Sutherland Asbill & Brennan LLP, told Bloomberg BNA April 16. “It provides a roadmap of the issues that the SEC thinks are important in the cybersecurity space.”
Robert Plaze, a Washington-based partner at Stroock & Stroock& Lavan LLP and a former deputy director of the SEC's Division of Investment Management, expressed some concern that the commission's request for information reads more like a directive than a probe for answers.
“My first reaction to seeing the sample questions is this is what the SEC expects me to be doing, or explain why I'm not doing it,” Plaze told Bloomberg BNA April 16. While the measures may be viable for large firms, they could pose a burden for smaller investment advisers, he said. The questionnaire “is a set of expectations” that the SEC is creating “through the examinations process, and those expectations may be difficult for a small firm to live up to.”
Rubin said that cybersecurity likely will become a bigger matter going forward, “as the bad guys focus on financial services firms in the same way that they have focused on retail companies.” He also said that the SEC Enforcement Division will be closely scrutinizing firms' compliance. The OCIE questionnaire provides guidance to firms, “but I also think that the SEC will bring enforcement actions where they see obvious issues or problems that firms haven't addressed,” he said.
To contact the reporter on this story: Yin Wilczek in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Susan Jenkins at email@example.com
The OCIE risk alert is available at http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf.
To view additional stories from Privacy & Security Law Report® register for a free trial now