SEC Issues Risk Alert concerning its cybersecurity preparedness initiative

In January 2014, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) announced that a focus on technology and cybersecurity preparedness would be included in its 2014 examination priorities.

A Risk Alert was issued by OCIE on April 15, 2014 to provide additional information on this initiative. OCIE announced that it will conduct examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on the following:

• cybersecurity governance
• identification and assessment of cybersecurity risks
• protection of networks and information
• risks associated with remote customer access and funds transfer requests
• risks associated with vendors and other third parties
• detection of unauthorized activity
• experiences with certain cybersecurity threats

It is believed these examinations will help identify areas where the Commission and the industry can work together to protect investors and capital markets from cybersecurity threats.

As part of the Risk Alert, OCIE included a sample request list outlining the information and documents that will be reviewed during these examinations.  The sample document request is intended to assist compliance professionals in assessing their firm’s level of preparedness.

Registered entities are encouraged to review the sample document request, as well as the “Framework for Improving Critical Infrastructure Cybersecurity” released in February 2014 by the National Institute of Standards and Technology, to assess their current cybersecurity preparedness.