The Securities and Exchange Commission will broaden its focus on cyber-security concerns during forthcoming examinations of registered broker-dealers and investment advisers by its Office of Compliance Inspections and Examinations
In April 2014, OCIE announced a series of examinations to identify cyber-security risks and assess preparedness in the securities industry. Building upon the results of those exams, a recently released Risk Alert details expected areas of focus for the second round of cyber-security examinations, which will involve more testing to assess implementation of firm procedures and controls.
Governance and Risk Assessment
Examiners plan to assess whether registrants have adequate cyber-security governance and risk assessment processes. They also may assess whether firms are periodically evaluating cyber-security risks and whether their controls and risk assessment processes are tailored to their business. Examiners may also review the level of communication to, and involvement of, senior management and boards of directors.
Access Rights and Controls
Firms may be particularly at risk of a data breach from a failure to implement basic controls to prevent unauthorized access to systems or information, such as multi-factor authentication or updating access rights based on personnel or system changes. In response, examiners may review how firms control access to various systems and data via management of user credentials, authentication, and authorization methods. This may include a review of controls associated with remote access, customer logins, passwords, and firm protocols to address customer login problems, network segmentation, and tiered access.
Data Loss Prevention
Data breaches can result from the absence of robust controls in the areas of patch management and system configuration. Examiners may assess how firms monitor the volume of content transferred outside its walls by employees or through third parties, including email attachments and uploads. Examiners can be expected to review how firms monitor for unauthorized data transfers and how firms verify the authenticity of a customer request to transfer funds.
Some of the largest data breaches over the last few years may have resulted from the hacking of third party vendor platforms. In response, examiners may focus on firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms. Examiners may assess how vendor relationships are considered as part of the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor.
Without proper training, employees and vendors may put a firm’s data at risk, OCIE says in the risk alert. Common causes of data breaches include misplaced laptops, accessing client accounts through an unsecured internet connection, and opening messages or downloading attachments from an unknown source. In response, examiners will inquire about how training is tailored to specific job functions and designed to encourage responsible employee and vendor behavior. Also under review: incident response procedures are integrated into regular personnel and vendor training.
Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future breaches. This includes determining which firm data, assets, and services warrant the most protection to help prevent attacks from causing significant harm.
While these are the primary focus areas for the Cyber-Security Examination Initiative, examiners may also select additional areas based on risks identified during the course of the examinations.