In an April 15, 2014 Risk Alert, the U.S. Securities and Exchange Commission’s Office of Compliance Inspection and Examinations (OCIE) announced that it would conduct examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on areas related to cybersecurity.
The OCIE Alert includes a sample request for information and documents that will be used in the initiative. This sample request for information and documents provides not only a roadmap for firms to prepare to respond to an exam, but also a guide for firms to consider in evaluating their policies and procedures.
At first blush, one may wonder how does the SEC have jurisdiction related to cybersecurity issues. Most people view cybersecurity as a technology and IT issue, as opposed to a securities law issue. Cybersecurity, however, is an issue that is relevant to the securities laws in a number of respects—
OCIE Jurisdiction and AlertOCIE administers the SEC’s nationwide examination and inspection program of registered broker-dealers, investment advisers, investment companies, the national securities exchanges, clearing agencies, SROs, such as Financial Industry Regulatory Authority (FINRA), the Municipal Securities Rulemaking Board (MSRB) and the Public Company Accounting Oversight Board (PCAOB). OCIE stated that “[t]hese examinations will help identify areas the Commission and the industry can work to protect investors and our capital markets from cybersecurity threats.” OCIE’s Risk Alert comes on the heels of the SEC’s recent Cybersecurity Roundtable, which was a gathering of industry and regulators to discuss the issues and challenges cybersecurity raises for market participants and public companies, and how they are addressing those concerns.
In its Risk Alert, OCIE provided a sample request for information and documents that it may ask for from firms in its cybersecurity initiative. Some of the questions asked track information outlined in the National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity.” OCIE’s sample requests focus on five specific topic areas—
1) Identification of risks/cybersecurity governance;
2) Protection of firm networks and information;
3) Risks associated with remote access and funds transfer requests;
4) Risks associated with vendors and other third parties; and
Read the full story on s-ox.com