The SEC & Cybersecurity: Expectations & Exam Prep for Investment Firms
It's no secret that cybersecurity has dominated the headlines of late as security threats and vulnerabilities continue to pose risks to businesses and individuals around the world. In the fast-paced world of financial services, firms are even more likely to become victims of cyberattacks -- either as a result of external hackers or internal threats. The Securities and Exchange Commission (SEC) has taken a proactive approach to cybersecurity in 2014 -- first by holding an informative roundtable examining the landscape and second by issuing a risk alert in April announcing that more than 50 firms will face security examinations in the near future.
As part of the announcement, the SEC provided firms with a seven-page document essentially mirroring a due diligence questionnaire or request for information. It asks firms to provide details about their technology infrastructure and operational policies and procedures as they relate to cybersecurity. The document is thorough, but it should be simple enough for firms to complete if they have a written information security plan (WISP) in place. Firms without a WISP will need to spend a significant amount of time gathering information to complete the questionnaire.
What information does the SEC want?
The document circulated by the SEC comprises several sections related to a firm's cybersecurity preparedness. The sections cover everything from identification of risks to protection of the firm's networks to detection of unauthorized activity and risks associated with vendors and other third parties. Though the document is comprehensive, the SEC's Office of Compliance Inspections and Examinations (OCIE) made it clear it was not necessarily all inclusive of the information the agency may seek from firms during the exam process.
Without getting into specific questions and answers, this is what the SEC is seeking from registered firms:
- An assertion that firms are conducting regular risk assessments to identify cybersecurity threats, as well as ongoing penetration testing and intrusion detection and prevention to thwart future attacks
- A dedicated person or persons responsible for management of cybersecurity, including clear roles and responsibilities that are outlined in regards to ongoing monitoring of firm networks and infrastructure, as well as incident response management in the event of a security issue
- Details in the form of strict policies regarding access control and acceptable use in order to ensure internal employees cannot access data and systems they are not authorized to access
- Policies and procedures for working with third-party vendors that may be authorized to access the firm's network
- Identification and descriptions of any previous security incidents or attacks and the effects of such occurrences (malware detection, unauthorized access, hardware or software malfunctions, employee misconduct, etc.)
With the implementation of a WISP, investment firms can provide additional details to the SEC (and investors) about their cybersecurity preparedness. A WISP will identify administrative and technical safeguards for a firm, including:
- What is considered confidential data
- Where that data is located and how it is protected
- Who has access to confidential data
- Roles and responsibilities
- Internal and external communication procedures
- Assessment and evaluation of technical safeguards
Financial services firms should be looking to leverage their IT/security staffs or outsourced technology providers for help with completing the questionnaire and ensuring the necessary protocols are in place in the event the SEC comes calling. Additionally, administrators may prepare by obtaining sample answers to the SEC's cybersecurity questionnaire and determining how to identify specific risks from a recent Eze Castle Integration educational webinar on how to assess a firm's compliance with SEC guidelines and exam readiness. However, employing a WISP is the most effective way of meeting these demands, and it demonstrates that a firm takes cybersecurity seriously -- something the SEC certainly wants to see.Steve Schoener is vice president of client technology at Eze Castle Integration, a leading provider of IT solutions and private cloud services to more than 650 alternative investment firms around the world. He is responsible for driving technology growth through Eze Castle ... View Full Bio