|April 25, 2014|
Previously published on April 21, 2014
On April 15, 2014, SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert describing an initiative it is currently undertaking to assess cybersecurity preparedness in the securities industry.1 The Risk Alert includes a seven page appendix with 28 “sample” information requests that it may send to firms. Based on reports by industry participants at broker-dealers and investment advisers that received information requests from OCIE, this effort was launched several weeks ago. The stated purpose of OCIE’s information requests is to enhance the SEC’s understanding of the state of cybersecurity preparedness and to obtain information about the cyber-threats faced by regulated entities.
OCIE’s initiative is further evidence of the SEC’s new focus on cybersecurity. In its January 2014 Priorities Letter, OCIE included governance and supervision of information technology systems, operational capability, market access, information security, and preparedness to respond to sudden malfunctions and system outages. On March 26, 2014, the SEC hosted a roundtable on cybersecurity at its Washington, D.C. headquarters, which brought together public and private sector cybersecurity experts to discuss the cyber-issues confronting the financial system, the current state of industry preparedness, the adequacy of current regulations, and the role of the SEC in safeguarding the markets and participants from cyber-threats. For more information see Four Things You Need to Know About the SEC Roundtable on Cybersecurity.
The information requests cover cybersecurity governance, identification and assessment of cybersecurity risks; protection of networks and information; risks associated with remote customer access and funds transfer requests; risks associated with vendors and other third parties; detection of unauthorized activity; and experiences with certain cybersecurity threats. Registered broker-dealers and investment advisers should note that OCIE states that certain information requests incorporate the National Institute of Standards and Technology (NIST) cybersecurity framework published on February 12, 2014. In light of its recent release and status as a voluntary framework, OCIE’s referencing the NIST framework is likely aimed at gauging the adoption of the framework. It also suggests the importance the SEC is placing on the NIST framework and its possible future adoption as an industry standard.
The information requests, as presented in the Risk Alert, are quite broad and may not apply in their entirety to any particular firm. As broker-dealers and investment advisers implement cybersecurity plans they should recognize many of the issues, and they should be able to distinguish those that do not apply in their business model or technological environment. More importantly, the information requests highlight several cybersecurity challenges that firms face.
Implementation of basic elements of cybersecurity requires a detailed understanding of the firm’s cyber-infrastructure. The information requests make evident that the first task of cybersecurity is to map the firm’s network resources, connections, data storage, and data flows; conduct a census of every computer and device on the network; and inventory every application used on the network. For global firms this might mean identifying the physical location of hundreds of thousands of computers, tens of thousands of servers, and many thousand applications. Smaller firms may also find that they have a surprising number of computers, devices, and applications supported on their network.
Registered broker-dealers and investment advisers must implement cybersecurity policies and procedures tailored to their risks. Like the NIST framework, OCIE information requests comprehend that each entity has its own risk profile, and so each firm must tailor its cybersecurity policies and procedures to its own circumstances. Firms should be able to demonstrate to examiners that they have adequately considered the issues highlighted by the information requests, including those that the firm has not adopted based on its risk self-assessment.
Documenting compliance with cybersecurity policies and procedures is essential. The information requests are exceptionally granular, and can only be easily answered if firms have maintained adequate records regarding their cybersecurity-related policies and procedures. For example, in several instances OCIE requests the dates on which specific actions were taken, the frequency with which practices are conducted, and the group and title of those with responsibility for conducting cybersecurity practices. Although many of these records may not be required under existing industry rules and regulations, firms need to consider how they will demonstrate they have taken adequate measures to protect the firm and its customers and will need to devote adequate resources to that task.
Registered broker-dealers and investment advisers should have a firm grasp of the risks associated with vendors and other third parties. Cybersecurity is on the SEC’s agenda this year in part due to the data breach at Target in December 2013, which was initiated through a network vulnerability at a Target vendor. Firms of all sizes will be challenged to conduct adequate due diligence of vendors’ cybersecurity policies and procedures at the start of a relationship, as well as on an ongoing basis. Additionally, firms will have to establish and maintain adequate oversight of authorized activities on its network to ensure compliance with any relevant policies and procedures.
Registered broker-dealers and investment advisers need to develop mechanisms for detecting unauthorized activity on the firm’s network. Detecting unauthorized access to a firm’s network is a core challenge for all firms, so it is unsurprising that OCIE requests information on this topic. Research indicates that on average cyber-incursions remain undetected in excess of eight months, and are often detected by law enforcement, vendors, or customers, not by the firms themselves. Consistent with their network structure and business model, firms will have to demonstrate adequate monitoring of their network environment for cybersecurity events, as well as the presence of unauthorized users, devices, connections, and software. This will be a challenge for firms of all sizes — although large global firms have greater resources available they also have a vast cyber-infrastructure to monitor, while smaller firms likely have a smaller infrastructure, they are more likely to face resource constraints that may limit the technology and testing they can afford to implement.
Registered broker-dealers and investment advisers are encouraged to compare their own cybersecurity policies and procedures against the information requests appended to the Risk Alert, with an eye to areas they may have missed or neglected in existing policies. Firms should expect that the SEC’s interest in cybersecurity will not abate, and should begin preparing for greater scrutiny in this area. We expect this initial sweep will result in the SEC issuing further guidance on cybersecurity, possibly as a prelude to enacting new regulation in this area.
1 OCIE Cybersecurity Initiative, available at http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf