In an April 15, 2014 Risk Alert, the U.S. Securities and Exchange Commission’s Office of Compliance Inspection and Examinations (OCIE) announced that it would conduct examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on areas related to cybersecurity.
The OCIE Alert includes a sample request for information and documents that will be used in the initiative. This sample request for information and documents provides not only a roadmap for firms to prepare to respond to an exam, but also a guide for firms to consider in evaluating their policies and procedures.
At first blush, one may wonder how does the SEC have jurisdiction related to cybersecurity issues. Most people view cybersecurity as a technology and IT issue, as opposed to a securities law issue. Cybersecurity, however, is an issue that is relevant to the securities laws in a number of respects—
- Rule 30 of Regulation S-P requires broker-dealers, investment companies, and investment advisers to adopt written policies and procedures that address the protection of customer information and records. Specifically, the policies and procedures must be reasonably designed to: (1) ensure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security and integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. The SEC has brought enforcement actions for alleged violations under Rule of 30 of Regulation S-P.
- Regulation S-ID requires that financial institutions establish and maintain programs that detect, prevent, and mitigate identity theft, if they maintain certain types of accounts for clients. The rule requires financial institutions to implement written identity theft programs that (1) identify and incorporate relevant red flags; (2) detect ref flags; (3) respond to any red flags that are detected; and (4) periodically update the program to reflect the changes in risks.
- Although the OCIE Alert does not apply to public companies that are not broker-dealers, investment companies or investment advisers, the SEC has provided guidance to public companies regarding the disclosure of cysbersecurity risks. The SEC’s guidance to public companies notes that “[a]lthough no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents.” The SEC guidance goes on to enumerate several areas where a cybersecurity risks and incidents may be required to be disclosed.
OCIE Jurisdiction and AlertOCIE administers the SEC’s nationwide examination and inspection program of registered broker-dealers, investment advisers, investment companies, the national securities exchanges, clearing agencies, SROs, such as Financial Industry Regulatory Authority (FINRA), the Municipal Securities Rulemaking Board (MSRB) and the Public Company Accounting Oversight Board (PCAOB). OCIE stated that “[t]hese examinations will help identify areas the Commission and the industry can work to protect investors and our capital markets from cybersecurity threats.” OCIE’s Risk Alert comes on the heels of the SEC’s recent Cybersecurity Roundtable, which was a gathering of industry and regulators to discuss the issues and challenges cybersecurity raises for market participants and public companies, and how they are addressing those concerns.
In its Risk Alert, OCIE provided a sample request for information and documents that it may ask for from firms in its cybersecurity initiative. Some of the questions asked track information outlined in the National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity.” OCIE’s sample requests focus on five specific topic areas—
1) Identification of risks/cybersecurity governance;
2) Protection of firm networks and information;
3) Risks associated with remote access and funds transfer requests;
4) Risks associated with vendors and other third parties; and