Will Assess More than 50 Broker-Dealers, Investment Advisers
If you’re an investment advisor or broker dealer, the time is rapidly approaching when you’ll be subjected to an SEC cybersecurity readiness audit. Are you prepared?
The Securities and Exchange Commission is planning to conduct more than 50 examinations to assess cybersecurity preparedness in the securities industry and to obtain information about the industry’s recent experiences with certain types of cyberthreats.
Organizations to be examined by the SEC’s Office of Compliance Inspections and Examinations include registered broker-dealers and registered investment advisers, according to an April 15 announcement.
The examinations will focus on the entities’ identification and assessment of risks; protection of networks and information; risks associated with remote customer access and funds transfer requests; risks associated with vendors and other third parties; detection of unauthorized activity; and experiences with certain cybersecurity threats.
Alan Brill, senior managing director at security advisory firm Kroll Solutions, says that comment from the SEC is particularly significant for all business sectors. “The suggestion that collecting the data in their information request would help the management of any organization to assess their preparedness to prevent, detect and appropriately respond to a cyber-incident [is important],” he says. “With a few modifications for different industries, the questions posed would be ones that I would hope compliance officers, internal auditors and even boards of directors would want to examine to carry out their oversight role over cybersecurity.”
Brill says the information offered in the SEC announcement’s extensive appendix section can also be used as the basis for an independent third-party assessment of information “by specialists who can bring a lot of experience in identifying commercially reasonable technology and operational solutions.”
Karen Evans, a partner at the management consulting service KE&T Partners LLC who previously worked at the Office of Management and Budget, says all business sectors should be conducting risk assessments and reviews of their security programs as is being outlined by the SEC.
“If you have a good program in place, you should be able to answer those questions to whoever your regulator is,” she says. “It shouldn’t be a burden if a firm is practicing good information security assurance and risk management.”
In its announcement of the upcoming examinations, the SEC says some of the information it may seek from Wall Street companies includes:
- An inventory of physical devices and systems, as well as software platforms and applications;
- A copy of the organization’s written information security policy;
- Evidence of whether the organization conducts periodic risk assessments;
- Evidence of whether cybersecurity roles and responsibilities have been explicitly assigned;
- Practices and controls regarding the protection of networks and information utilized by the organization;
- Evidence of whether the organization conducts or requires risk assessments of vendors and business partners;
- Steps taken to detect unauthorized activity on networks and devices;
- Updates on whether the organization experienced any type of cyber-incident.