The Securities and Exchange Commission (SEC) is commencing a new round of cybersecurity examinations of investment advisers, investment companies and broker-dealers. The agency’s Office of Compliance and Inspections (OCIE) issued a Risk Alert and sample information request on September 15, 2015 that shows that at least one U.S. government agency agrees with most cybersecurity experts that the basic vulnerability that leads to data breaches is not a failure of technical safeguards. Rather, it’s the failure of people to follow basic information control common sense and follow written protocols. The S.E.C. Risk Alert and sample information request are available here.
The Risk Alert throws down this gauntlet early, noting in its second page, “public reports have identified cybersecurity breaches related to weakness in controls.” The Alert later states that examiners will “gather information on cybersecurity-related controls and will also test implementation of certain controls.” The first such controls specified in the Alert are not technical safeguards. Rather, with importance of place, the OCIE starts out by stating that examiners may look into Governance and Risk Assessment, evaluating “whether registrants have documented cybersecurity governance and risk procedures” in place. Examiners may also look into whether senior management understands their importance in safeguarding data, by examining “the level of communication to, and involvement of, senior management and boards of directors.” SEC Commissioners and Treasury Jack Lew have stated on a number of occasions that they will hold senior management and boards responsible for cybersecurity, and this Risk Alert puts those statements into practice. C-suite executives and directors should read this document carefully.
Included in the Alert is a sample information request that fleshes out these concepts. Documents that the examiners may request include “board minutes and briefing materials regarding cybersecurity incident response planning . . . and cybersecurity-related matters involving vendors,” information regarding “potential business and compliance consequences” of cybersecurity incidents, proof of training on information safeguards, due diligence and monitoring of vendors with regard to information security, and information regarding implementation of safeguards.
This Risk Alert is of concern to broker-dealers, investment advisers and investment companies with regard to the potential for spot audits, but perhaps its most significant import is the information the S.E.C. will demand, and examine closely, in the event of an examination resulting from a breach or a subscriber complaint. These organizations would be wise to shore up their information security defenses now, before the S.E.C. comes knocking.
For more information on financial services information security compliance and risk management, please contact Kenneth N. Rashbaum.