Time to Get Ready for SEC Cybersecurity Examinations – Phase 2
Read
The Securities and Exchange Commission (SEC) completed the first phase of its cybersecurity examinations earlier this year when it released findings and industry practice reports, and the agency is now gearing up for phase two. In light of regulators’ increasing focus on data security, Kaufman Rossin partnered with Charles Schwab to present the “Cybersecurity and SEC Compliance Roundtable” for registered investment advisers and broker-dealers.
Because of the nature of information that broker-dealers and investment advisors have about their investors, they are especially likely to be subjected to cybersecurity threats. Firms have access to sensitive information including social security numbers, addresses, birthdates, bank account numbers, and other data that is valuable to cyber-criminals.
In its 2015 priorities, the SEC’s Office of Compliance Inspections and Examinations (OCIE) said it will continue to focus on cybersecurity using risk-based examinations. “One major difference with this second phase is that, unlike the first sweep conducted, these exams will be onsite visits,” said Jane Jarcho of the OCIE. “Examiners will dig deeply into a few cyber-related topics during these visits.”
The SEC issued a risk alert on September 15th that outlined the OCIE’s cybersecurity examination initiative. The agency is expected to focus on the following areas in its upcoming examinations:
- Cybersecurity policy and procedures
- Framework used to establish the policy
- Adviser’s cybersecurity governance and risk assessment as it relates to the adviser’s business
- Access rights and controls
- Vendor management
- Data loss prevention and cyber-breach response plans
- Business continuity plan
- Senior management and board’s role approving such procedures
- Training
Firms need to understand that cyber attacks are becoming increasingly sophisticated. Many current security approaches are reliant on technology as the cornerstone of defense, but these approaches can often be defeated by attackers. Implementing a robust information security program that includes proper policies, procedures and training for employees helps in mitigating a firm’s cybersecurity risk.
Firms should consider designing their cybersecurity programs in line with the five functions of the National Institute of Standards and Technology (NIST) Cybersecurity Framework:
- Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect – Develop and implement the appropriate safeguards for delivery of critical infrastructure services.
- Detect – Develop and implement the appropriate activities to identify the occurrence and possible impact of a cybersecurity event.
- Respond – Enact specific risk-management decisions and pre-planned activities relative to the impact of a cybersecurity incident.
- Recover – Implement management, technical, and operational activities to restore services that have been impaired as a result of a cybersecurity event.
Firms that fail to comply with SEC and other regulations related to cybersecurity may face significant fines or other enforcement measures.
The SEC’s sweep examination results, 2015 priorities, and the latest SEC cybersecurity risk alert reinforce the importance for firms to have a robust cybersecurity infrastructure – something that can be time-consuming and costly to implement. Firms with small IT teams may not have adequate resources in-house, and so they may want to consider engaging a third-party IT provider who can help them comply.
Kaufman Rossin can assist broker-dealers and investment advisers by conducting a cybersecurity risk assessment to inventory data assets, help identify threats and vulnerabilities and evaluate and report on the potential impact of a cyber-incident. In addition, we can provide training designed to increase employee awareness of social engineering and other cyber attacks.
Contact us to learn more about how your firm can prepare for the SEC’s 2015 cybersecurity examination initiative with a cybersecurity risk assessment and training.
Bao Nguyen, CAMS, CFE, CRCP, is a Risk Advisory Services Principal – Investment Leader at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.
Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.