About the author: Luke Falgoust is an associate at the Jones Walker law firm in Business & Commercial Transactions Practice Group. He contributes to the recently launched Trade Secret Insider, which chronicles legal insights on trade secrets, non-competes, computer fraud and confidential data theft. This article was originally posted on tradesecretsinsider.com.
————————————————————————————————————————————–
On April 15, 2014 the Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued a National Exam Program Risk Alert entitledOCIE Cybersecurity Initiative (the “Risk Alert”) announcing its plans to conduct examinations of more than 50 registered broker-dealers and investment advisers focused on cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.
The Risk Alert includes a sample information and document request list that describes the various categories of detailed information that OCIE will potentially be seeking through its examinations. This disclosure by OCIE is intended to provide compliance professionals in the securities industry with questions and tools they can use to assess their firms’ level of preparedness. The sample information and document request list also can be used by a firm’s compliance department as a guide to track the firm’s cyber infrastructure, assess the firm’s cybersecurity risks and document, implement and monitor policies and procedures regarding identification, documentation, prioritization and mitigation of cyber risks. The sample request list suggests that all financial firms should, among various other measures:
- use an established framework to address cybersecurity;
- have written policies and procedures in place to manage information security assets, networks and information;
- conduct periodic risk assessments to identify physical cybersecurity threats and vulnerabilities;
- identify persons responsible for overseeing cybersecurity risks;
- implement a cybersecurity incident response policy; and
- maintain insurance that specifically covers losses and expenses attributable to cybersecurity incidents.
OCIE hopes that these examinations will identify areas where the SEC and the securities industry can work together to protect investors and capital markets from cybersecurity threats. Registered broker-dealers and investment advisers should review the information and document requests included in the Risk Alert and evaluate their existing cybersecurity policies and procedures. Financial firms should also prepare for OCIE’s greater scrutiny of their cybersecurity policies and procedures.