Close

Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

SEC to Launch Cybersecurity Exams of Investment Firms, Offers Sample Document Requests

Bruce Carton | April 18, 2014

On April 15, 2014, the SEC's Office of Compliance Inspections and Examinations quietly disclosed its examination module pertaining to cybersecurity. The disclosure came in the form of a Risk Alert providing "additional information concerning [OCIE's] initiative to assess cybersecurity preparedness in the securities industry." 

OCIE stated in the Risk Alert that it will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers, and provided a a sample request for information and documents. OCIE stated that it will be focusing on the following areas: 

the entity's cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.

John Stark, Managing Director of digital risk management firm Stroz Friedberg, stated that the OCIE Risk Alert is the latest sign that a cybersecurity breach at a financial firm is now likely to trigger the interest and possible wrath of the OCIE and, for registered broker-dealers, the Financial Industry Regulatory Authority (FINRA) as well. Stark says that regulators such as OCIE and FINRA will "want to know more than just what a firm is doing to detect the origin, nature and extent of the cyber-related incident and what sort of remediation the firm is undertaking; their examiners will also want to understand what sort of cybersecurity preparedness firms undertake to protect their networks and systems together with what plans, policies and procedures firms have established to thwart cyber-intrusions and attacks."

Stark commended OCIE for being "forward-thinking and inventive" in its Risk Alert, and said financial firms need to employ a risk-based approach to cybersecurity. Firms that had been inclined to "take a wait-and-see approach to the upcoming cybersecurity regulatory onslaught should reconsider," Stark warned.