Now that you’ve seen what ACA Insight has to offer, don’t be without it. Subscribe now!

The weekly news source for investment management legal and compliance professionals

Current subscribers - please log in to the website in the upper right-hand corner

News September 21, 2015 Issue

OCIE Reveals Cybersecurity Exam Focus, Issues Sample Information Request List

Governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response. These are the areas that the SECís Office of Compliance Inspections and Examinations will focus on during its exams of advisers and broker-dealers this year, OCIE said in a new risk alert.

The September 15 alert, "OCIEís 2015 Cybersecurity Examination Initiative," also† includes a five-page sample list of information that OCIE may seek to†review during these examinations. Advisers and broker-dealers would be wise to use this information to not only prepare for cybersecurity examinations, but also to†improve their own internal cybersecurity programs.

By issuing the alert, OCIE "reinforces that firms need to be conducting risk assessments and implementing policies, procedures and controls around their technology environment, broadly," said ACA Aponix partner Raj Bakhru. "While largely in-line with prior guidance from the SEC, National Futures Association, FINRA, and the National Institute of Standards and Technology, this alert also provides a prescriptive sample information request list worth reviewing."

The risk alert, in fact, represents OCIEís most detailed effort yet in addressing cybersecurity. The SECís interest first manifested itself with a March 2014 cybersecurity roundtable (ACA Insight, 4/7/14), during which†industry representatives and others addressed the need to protect customer information and more. This was followed up in April 2014 by an OCIE risk alert announcing a series of examinations to identify cybersecurity risks and assess cybersecurity preparedness. Observations from these exams were published by OCIE in February 2015 (ACA Insight, 2/9/2015), and OCIE also included cybersecurity compliance and controls in its list of 2015 examination priorities.

"Given the agency staffís prior statements, itís no surprise that OCIE will be taking a deeper dive on certain†issues," said Sutherland partner Brian Rubin, adding that "itís great that OCIE is being so transparent in its†efforts. It shows the cybersecurity issues that the agency staff considers most important, and it highlights that it is in the interests of everyone (firms, clients and regulators) that firms focus on the correct issues. The SEC isnít interested in playing Ďgotcha games.í They want firms to take the right steps."

Six areas of focus

The risk alert identifies six areas that OCIE examiners are expected to focus on:

  • Governance and risk assessment. Examiners will check to see if advisers and broker-dealers have†cybersecurity governance and risk assessment processes in place, whether firms periodically evaluate cyber risk, and whether their controls and risk†assessment procedures are tailored to their respective businesses. "The governance area is where a compliance person can have a big impact," said K&L Gates partner Sean Mahoney, as while compliance professionals may be less knowledgeable about firewalls or other IT areas, governance and risk assessments should be a natural fit.
  • Access rights and controls. "Firms may be particularly at risk of a data breach from a failure to implement basic controls to prevent unauthorized access to systems or information, such as multifactor authentication or updating access rights based on personnel or system changes," the risk alert says. Expect examiners to review how firms control access to various systems and data through management of user credentials, authentication and authorization methods.
  • Data loss prevention. "Some data breaches may have resulted from the absence of robust controls in the areas of patch management and system configuration," OCIE said. Expect examiners to assess how firms monitor the amount of content transferred outside their firms by employees or third parties, which they might do through email attachments or uploads. Documentation in areas like patch management by IT staff is essential, Mahoney said, as IT professionals often have processes for doing such work that compliance staff may not be aware of. For instance, IT staff may delay installing a patch because they need to first ensure that applications integrated with the system being patched will not be affected. "Compliance staff needs to make sure that IT staff document what was done and when it was done," he said.
  • Vendor management. Third-party vendor platforms pose a significant risk. "Some of the largest data breaches over the last few years may have resulted from the hacking of third-party vendor platforms," the risk alert states. Expect examiners to focus on firm practices and controls related to vendor management, including due diligence when selecting a vendor, monitoring and oversight, and contract terms.
  • Training. "Without proper training, employees and vendors may put a firmís data at risk," said OCIE. "Some data breaches may result from unintentional employee actions, such as a misplaced laptop,†accessing a client account through an unsecured internet connection, or opening messages or downloading attachments from an unknown source." Proper training allows employees and vendors to be a firmís "first line of defense."
  • Incident response. Examiners will want to know whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to handle a cybersecurity incident should one occur. "This includes determining which firm data, assets and services warrant the most protection to help prevent attacks from causing significant harm," OCIE said.

"All firms should carefully review this alert to see how they would answer these questions, even if they think that the SEC wonít be examining them in the near†future," said Rubin.

Advisers and broker-dealers should also be aware that these may not be the only areas that examiners will look into. "Examiners may select additional areas based on risks identified during the course of the examinations," OCIE said.

Sample information request list

OCIE, in an appendix to the risk alert, provided a sample list of information it may review as part of an examination. As with the six areas it identified for examination, OCIE said that the sample request list "should not be considered all-inclusive," as circumstances may necessitate reviews of other documents.

Here are just some of the documents included:

  • Firm policies and procedures related to customer records and information, "including those designed to secure customer documents and information, protect against anticipated threats to customer information, and protect against unauthorized access to customer accounts or information."
  • Information regarding periodic risk assessments to identify cyber threats, vulnerabilities and potential business and compliance consequences.
  • Policies regarding penetration testing, including whether such testing was conducted by or on behalf of the firm, and the results of such tests.
  • Firm policies and procedures regarding access by unauthorized persons.
  • Information demonstrating the implementation of firm policies and procedures relating to employee access right and controls.
  • Policies and procedures related to log-in attempts, log-in failures, lockouts, and unlocks or resets for perimeter-facing systems.
  • Instances in which system users, including employees, customers and vendors, received entitlements or access to firm data, systems or reports in contravention of the firmís policies or practices or without required authorization.
  • Policies and procedures regarding devices used to access the firmís system externally.
  • Policies and procedures related to enterprise data loss prevention and information related to data mapping, as well as the systems, utilities and tools used to prevent, detect and monitor data loss.
  • Third-party vendor policies and procedures, particularly in regard to due diligence when selecting vendors, contracts and agreements, supervision and risk assessments.
  • Policies and procedures of a firmís business continuity of operations plan that address mitigation of the effects of a cybersecurity incident and recovery from it.