On April 15, the U.S. Securities and Exchange Commission (SEC)’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert on its Cybersecurity Initiative.1 The Alert is intended to provide additional information concerning the SEC’s initiative to assess cybersecurity preparedness in the securities industry, including broker-dealers and investment advisers. The SEC has been increasingly focused on cybersecurity issues, beginning with its Cybersecurity Disclosure Guidance issued in October of 20112 and most recently with its Cybersecurity Roundtable.3
In its Alert, the OCIE announced that it will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on areas relating to cybersecurity. The initiative is designed to assess cybersecurity preparedness in the securities industry and obtain information about the industry’s recent experiences with certain types of cyberthreats.
The examinations will focus on the following issues:
In a rare move, the SEC included a sample questionnaire in the Alert, which will allow firms to prepare for the examination and give non-examined companies an idea of the areas the SEC believes are crucial to its determination of cybersecurity preparedness. The SEC believes that the sample questionnaire will assist compliance professionals in the industry with questions and tools they can use to assess their firms’ level of readiness for cyberthreats. In addition, the SEC indicated that the questionnaire may be used to make appropriate changes to address and strengthen firms’ risk management systems.
The questionnaire, which is seven pages long and contains 28 questions (some with multiple sub-questions), covers a broad range of cybersecurity issues. Some of the questions track information outlined in the “Framework for Improving Critical Infrastructure Cybersecurity,” released by the National Institute of Standards and Technology in February of this year.4 The OCIE indicated that it will tailor the questionnaire to the firms it actually examines to take into account the specific circumstances presented by each firm’s particular systems or information technology environment.
Of particular note in the questionnaire is the focus on written policies. The OCIE has identified the following written policies that may be of importance in evaluating cybersecurity preparedness:
The questionnaire will also focus on disclosure of cyberattacks experienced by firms since January 1, 2013, including a description of the extent of related losses, customer information accessed, firm services impacted, dates of incidents and discovery and remediation efforts.
Pepper Point: Although the OCIE indicated that only 50 firms will be examined, all firms in this industry should, at minimum, review the sample questionnaire to help assess their preparedness, and particularly to assess whether they need to adopt or update any written policies. Pepper Hamilton’s Privacy, Security and Data Protection Practice Group routinely advises and helps draft these policies and counsels on cybersecurity compliance and training and on appropriate responses to a data breach.
For further information, please watch the following webcasts:
Or, for further reading, please see:
1 OCIE Cybersecurity Initiative (can be found at: http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf).
2 CF Disclosure Guidance: Topic No. 2: Cybersecurity (can be found at: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm).
3 To view a webcast of the Cybersecurity Roundtable, which took place on March 26, 2014, visit the SEC’s spotlight page: http://www.sec.gov/spotlight/cybersecurity-roundtable.shtml.
Sharon R. Klein and Melissa L. Nuñez
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.