The SEC to require registered broker-dealers and registered investment advisers to conduct risk assessments to identify cybersecurity threats, vulnerabilities, and potential business consequences.
Earlier this year on March 26, 2014, the U.S. Securities and Exchange Commission sponsored a Cybersecurity Roundtable. In opening the Roundtable, Chair Mary Jo White, Chairwoman of the SEC underscored the importance of cybersecurity to the integrity of our market system and customer data protection. At the same meeting, Luis A. Aguilar, a Commissioner at the SEC emphasized the importance for the Commission to gather information and consider what additional steps the Commission should take to address cyber-threats. The last statement is particularly important.
It is well known that Cyber threats pose non-discriminating risks across our economy to all of our critical infrastructures, our financial markets, banks, intellectual property, and the private data of the American consumer. These threats are of extraordinary nature and are finally beginning to receive the consideration they deserve. In fact, they are first on the Division of Intelligence’s list of global threats, even surpassing terrorism. Jim Comey, Director of the FBI, has testified that resources devoted to cyber-based threats are expected “to eclipse” resources devoted to terrorism. The SEC a latecomer to realizing the threat of Cybersecurity to our financial systems is finally paying attention.
The SEC has proposed a rule, which would require certain regulated financial institutions and creditors including registered investment advisers, broker-dealers, and funds to test their automated systems for vulnerabilities, test their business continuity and disaster recovery plans, notify the Commission of cyber intrusions, and recover their clearing and trading operations within specified time frames. It requires the covered entity conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities, and potential business consequences. The risk assessment must include identification of physical security threats and vulnerabilities that it may bear on cybersecurity. In addition, the Commission last year adopted Regulation S-ID, which requires covered entities to adopt and implement identity theft programs. As part of this initiative, Office of Compliance Inspections and Examinations (OCIE) will conduct examinations of more than 50 registered broker-dealers and registered investment advisers. The examination will focus on the entity’s cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with cybersecurity threats. As part of OCIE’s efforts to promote compliance and to share with the industry where it sees risk, OCIE has compiled a list of requests for information that the OCIE may use in conducting examinations of registered entities regarding cybersecurity matters. The list generally includes the following;
Identification of Risks/Cybersecurity Governance
- Protection of Firm Networks and Information
- Risks Associated With Remote Customer Access and Funds Transfer Requests
- Risks Associated With Vendors and Other Third Parties
- Detection of Unauthorized Activity
A detailed guidance is included in the OCIE publication http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf