We are all aware that more high-profile cyber attacks are expected, so it is no surprise that the SEC’s Office of Compliance Inspections and Examinations (OCIE) have stated that cybersecurity will continue to be a priority for 2016.
In fact, The OCIE announced that the cybersecurity exams will include more in-depth assessments procedures and control implementations within organizations, but more on that later.
A little background…
Since kickstarting the Cybersecurity Initiative back in 2014, the OCIE have been running nation-wide exams and inspections, where registered entities, such as broker-dealers, transfer agents, investment advisors (see full list, are audited to ensure they properly safeguarding the assets under their control.
The OCIE Cybersecurity Initiative not only assesses “readiness” in dealing with cybersecurity issues, it’s also gathering information about how the industry deals with digital threats.
In fact, the regulatory body published a summary of findings (PDF), following the first year of cybersecurity exams. It tells us, for instance, that while 90% make use of encryption in some form, 88% of broker-dealers and 74% of of advisors experienced a cyber attack, either directly or through third-party vendors.
And have any fines been issued so far, you ask? Last September, a investment adviser in St-Louie, R.T. Jones Capital Equities Management, faced a $75,000 fine for reportedly failing to properly protect sensitive customer data in advance of a breach that compromised around 100,000 individuals, thousands of whom were R.T. Jones clients.
And we can expect more fines to be issued in 2016, says the agency’s enforcement chief: “The U.S. Securities and Exchange Commission plans to bring more cases against investment advisers who do not have policies to prevent hacking,” reported Reuters.
Cybersecurity Examinations Initiative 2016
The OCIE has yet to determine how many investment advisors will be examined this year. In the OCIE list of examination priorities for 2016 (PDF), the body states that audits will involve more testing to assess implementation of procedures and controls around cybersecurity in six priority areas.
Below we have provided bespoke tips to help you pass the OCIE cybersecurity exam.
- Risk Assessments: Establish a Cyber Governance Committee/Draft Cyber Governance Charter
- Incident response: Build-Out Cyber Program and Incident Response Documentation
- Access rights: Assess Security Program, Access Controls, and Gaps/Coordination with Cyber Needs
- Data loss prevention: Design Procedures for Threat Intelligence and Information Sharing
- Vendor management: Enhance Vendor Safeguardss
- Training: Cyber Training and Launch Cyber Simulation Wargamess
But let’s be honest here. Cybersecurity remains a complex affair. In order to remain competitive, we must all balance business operation andsecurity, all while appeasing the regulators.
The explosion of new devices, applications, and digital services combined with the management of access rights and incident response procedures can make even the most dedicated of CISOs want to bury their heads in the sand.
The thing is that it is actually very difficult to audit your own systems. Too much familiarity can make it difficult to find the problems. Fresh eyes are often beneficial.
Our advice, call in the experts. 🙂
Resources and more information:
December 2015: SEC Examination Priorities for 2016
September 2015: OCIE’s Cybersecurity Examination Initiative (PDF)
April 2015: SEC Division of Investment Management – Guidance Update (PDF)
February 2015: OCIE Cybersecurity Examination Sweep Summary(PDF)
About TBG Security Inc.
TBG Security is a leading provider of information security and risk management solutions for Fortune 100 and Fortune 500 companies. TBG designs and delivers cyber security solutions to work in harmony with existing operations. Companies depend on TBG services in areas including risk management,penetration testing, security policy development, security strategies for compliance, business continuity, network security, managed services, software and service integration and incident response.
For more information on how TBG Security can help your organization with your information security initiatives please visit https://tbgsecurity.com.