On April 15, 2014, the SEC's Office of Compliance Inspections and Examinations quietly disclosed its examination module pertaining to cybersecurity. The disclosure came in the form of a Risk Alert providing "additional information concerning [OCIE's] initiative to assess cybersecurity preparedness in the securities industry."
OCIE stated in the Risk Alert that it will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers, and provided a a sample request for information and documents. OCIE stated that it will be focusing on the following areas:
the entity's cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.
John Stark, Managing Director of digital risk management firm Stroz Friedberg, stated that the OCIE Risk Alert is the latest sign that a cybersecurity breach at a financial firm is now likely to trigger the interest and possible wrath of the OCIE and, for registered broker-dealers, the Financial Industry Regulatory Authority (FINRA) as well. Stark says that regulators such as OCIE and FINRA will "want to know more than just what a firm is doing to detect the origin, nature and extent of the cyber-related incident and what sort of remediation the firm is undertaking; their examiners will also want to understand what sort of cybersecurity preparedness firms undertake to protect their networks and systems together with what plans, policies and procedures firms have established to thwart cyber-intrusions and attacks."
Stark commended OCIE for being "forward-thinking and inventive" in its Risk Alert, and said financial firms need to employ a risk-based approach to cybersecurity. Firms that had been inclined to "take a wait-and-see approach to the upcoming cybersecurity regulatory onslaught should reconsider," Stark warned.