SEC risk alert announces cybersecurity exams round 2
The Securities and Exchange Commission (SEC) has issued a risk alert announcing the start of a second round of examinations to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry.
Its Office of Compliance Inspections and Examinations (OCIE) announced the follow-up exams to its programme of testing, which began in April 2014, to assess implementation of firm procedures and controls.
The OCIE said it will “continue its focus on cybersecurity by conducting examinations of registered broker-dealers and investment advisers”, adding: “The examinations will focus on key topics including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.”
A series of examinations to identify cybersecurity risks was launched over a year ago, with a summary of the observations of the findings from these examinations published in February 2015.
It found that most firms had been the subject of a cyber-related incident. Nine in ten broker-dealers (88 per cent) and three-quarters of advisers (74 per cent) stated that they had experienced cyber-attacks directly or through one or more of their vendors, largely related to malware and fraudulent emails.
The second round of exams is being launched in light of recent cyber security breaches, ongoing cybersecurity threats against financial services firms, and public reports identifying cybersecurity breaches “related to weaknesses in basic controls”, the OCIE said.
Its follow-up tests will focus on six key areas:
Governance and Risk Assessment
The SEC will consider firms’ cybersecurity governance and risk assessment processes; check whether they are periodically evaluating cybersecurity risks; and potentially review the level of communication and involvement of senior management and boards of directors.
Access Rights and Controls
Examiners will look at how firms control access to various systems and data via management of user credentials, authentication, and authorisation methods. Firms affected should consider controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation and tiered access.
Data Loss Prevention
SEC examiners will look at how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, as well as assessing how they monitor for potentially unauthorised data transfers how firms verify the authenticity of a customer request to transfer funds.
Vendor security has risen up the agenda lately after some of the worst breaches have resulted from hacking of third-party vendor platforms. A report from the New York Department of Financial Services found one in three of 40 banks surveyed do not require their vendors to notify them of cyber security breaches.
The SEC will consider due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms. How vendor relationships are factored into a firm’s ongoing risk assessment process will also be looked at.
Examiners plan to assess firms on training and how it is tailored to specific job functions and whether procedures for responding to cyber incidents are integrated into regular personnel and vendor training.
Finally, the SEC plans to rate firms on their established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events.