SEC Announces Examinations of Wall Street Firms' Cybersecurity Measures
U.S. securities regulators are moving to make Wall Street firms more proactive in preventing cyberattacks, according to an announcement by the Securities and Exchange Commission (SEC) earlier this week.
In a Risk Alert released by the SEC’s Office of Compliance Inspections and Examinations (OCIE) on April 15, the SEC warned firms that it will be conducting examinations of more than 50 registered broker-dealers and investment advisers to assess their cybersecurity measures.
It’s unclear when the examinations will begin, but the OCIE said it will focus on the entity’s cybersecurity governance, identification and assessment of cybersecurity risks, and protection of networks and information. The OCIE will also be looking at risks associated with remote customer access and funds transfer requests, risks associated with vendors and third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.
The Risk Alert also included examples of the types of questions that firms can be prepared to answer during the investigation. There are 28 questions that make up the example questions, many with additional requests for information related to the initial question, ranging from identifying risks, providing copies of the firm’s written information security policy, to indicating if the firm conducts periodic risk assessments that identify cybersecurity threats.
The line of questioning follows information outlined in the Cybersecurity Framework released earlier this year by the National Institute of Standards and Technology, which can be used by firms as a resource when preparing for examinations.
However, the sample questions do not include all of the information that the OCIE may request. Instead, the office said it “will alter its requests for information as it considers the specific circumstances presented by each firm’s particular systems or information technology environment.”
The move for examinations comes after a March 26 Cybersecurity Roundtable where Chair Mary Jo White underscored the importance of cybersecurity to the integrity of the U.S. market system and customer data protection, along with the need for public and private partnerships to combat cyber threats.
“These examinations will help identify areas where the commission and the industry can work together to protect investors and our capital markets from cybersecurity threats,” according to the Risk Alert. For more information and to read the Risk Alert in full, visit the SEC Web sitehere.