IA Brief: Six steps to address U.S. SEC cybersecurity focus

February 11, 2015

Now that the Securities and Exchange Commission has formally named cybersecurity as a top exam priority, firms must prepare for the impending scrutiny.

The SEC’s annual list of investment adviser examination priorities for 2015, released January 13th, SEC labeled cybersecurity as a market wide risk. Last year’s exam priorities did not specifically point to cybersecurity, but merely highlighted investment adviser technology as an exam priority.

The SEC’s new concern is shared concern with the Financial Industry Regulatory Authority (FINRA), the regulatory organization for broker-dealers, which placed cybersecurity as a top exam priority as well.

The only written regulatory guidance so has been found in exam initiative letters from both the SEC and FINRA. In addition, there have been multiple conferences, surveys and even an SEC-sponsored roundtable event on the topic last year. However, the information presented is still relatively broad forcing firms to create a policy on their own or look for outside help.

More regulatory guidance is anticipated, but firms can prepare now for future scrutiny. Steps include using current sources for direction, assess their cyber-risks, inventory devices, review business continuity plan (BCPs), and plan for the monitoring, supervision and training of employees.

Here are six steps to consider when creating or reviewing a cybersecurity program:

  1. Use current sources. The SEC’s cybersecurity exam initiative was kicked off in April of 2014 through a risk alert . The sweep exams consisted of roughly 50 registered investment advisers and broker-dealers. The risk alert included 28 sample exam requests concerning cybersecurity, giving a good overall picture of what the SEC will expect in a program.FINRA similarly sent targeted sweep letters to approximately 20 broker-dealers querying their approaches to managing cybersecurity risks. The January 2014 letter was a bit more general than the SEC’s list but did offer the four goals in performing the assessment and a number of areas that will be examined during the sweep.

    The National Institute of Standards and Technology (NIST) cybersecurity framework published on February 12, 2014 is also a great tool when establishing a risk management process standard and infrastructure.

  2. Review cybersecurity risks. Take a risk assessment approach to identify current risks. The policies and procedures created from the risks must be tailored to a firm’s own circumstances. Ensure the policies and procedures documents specify who performed the assessment and the frequency of review. It would be prudent to categorize your risks (i.e. moderate or high risk). Vendor and third-party risk should be properly addressed, especially when it comes to denial of service attacks.
  3. Take a current inventory of devices, connections, software and most importantly, sign-on capabilities that are at risk of cyber-attacks. Having a complete picture of these elements will enable a firm to understand its cyber infrastructure. Be sure the inventory is done periodically and evidenced.
  4. Review the firm’s current business continuity plan and ensure it addresses cybersecurity. The BCP should include mitigation of the effects of a cybersecurity incident and/or recovery from such an incident if one exists.The firm must periodically test the functionality of its backup system and the annual test of the BCP is a perfect opportunity. A record of backup system testing must be maintained.
  5. Set up policies and procedures to address monitoring. The cybersecurity program must demonstrate adequate monitoring of a network environment for cybersecurity events, as well as the presence of unauthorized users, devices, connections, and software. The reliability of the event detection processes must be tested with evidence to show the most recent assessment.In addition, a written process and procedure for responding to a breach should be created. The firm should have an established process for dealing with a cyber breach as soon as it’s discovered. Timing is of the essence when a breach is detected. In many cases, a firm will have a team approach that includes the CCO, executive management, IT professionals and legal counsel.
  6. Ensure proper representative training. Representative training needs to include cybersecurity risks and how to respond to a threat. Be prepared to provide a copy to the SEC exam team of any related written materials (i.e. presentations) and identify the dates, topics, and which groups of employees participated in each training event.

The six steps are a great start but more guidance is expected in 2015. The SEC has said it is working on guidance stemming from the 2014 cyber-exam initiative. SEC exam chief Andrew Bowden, said he couldn’t give an exact date, but he did say the SEC was working on defining best practices that would apply to firms regardless of “whether you are a two man shop or you are a much larger firm with an international scope”.

In addition, FINRA is set to publish the results of their cybersecurity sweep in early 2015. According to FINRA’s exam priorities letter , the report will include principles and effective practices firms should consider in developing and implementing their cybersecurity programs.

(This article was produced by the Compliance Complete service of Thomson Reuters Accelus. Compliance Complete provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Accelus compliance news on Twitter: @GRC_Accelus)

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/