The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) previously announced that its 2014 Examination Priorities included a focus on technology, including cybersecurity preparedness. In connection with that statement of examination priority, OCIE recently issued a Risk Alert to provide additional information concerning its initiative to assess cybersecurity preparedness in the securities industry.
As part of this initiative, OCIE will conduct examinations of more than 50 registered broker-dealers and registered investment advisers focused on the following:
- the entity’s cybersecurity governance,
- identification and assessment of cybersecurity risks,
- protection of networks and information,
- risks associated with remote customer access and funds transfer requests,
- risks associated with vendors and other third parties,
- detection of unauthorized activity, and
- experiences with certain cybersecurity threats.
OCIE has provided a sample form of request for information and documents that investment advisers and broker dealers can expect to receive prior to this type of examination.
Although the SEC has stated that they believe the sample document request (see Appendix) should help to empower compliance professionals with questions and tools they can use to assess their firms’ level of preparedness, registrants should also expect the SEC to use the sample document as a basis for finding deficiencies, to the extent the guidance is not followed.