Posted by Michael Heaton on 05/03/2016

The SEC’s Office of Compliance Inspections and Examinations’ (OCIE) National Examination Priorities 2016 release confirms the agency’s continued emphasis on cybersecurity. In its September 2015 Risk Alert, OCIE announced the intention of the Commission to conduct a second phase of targeted cybersecurity examinations of Broker Dealer and Investment Adviser firms. In 2016, OCIE intends to advance those efforts and include testing and assessments of firms’ implementation of procedures and controls.

The examination priority, along with previously published Risk Alerts reinforces the necessity for firms of every size to have cybersecurity policies and procedures reasonably designed to assist in the detection, prevention and remediation of cyber breaches. From a high level perspective, the SEC’s Investment Management Division’s April 2015 guidance for advisers and funds follows a three-step approach:

  • Conduct periodic assessments;
  • Have a cybersecurity strategy with an incident response plan; and
  • Have written policies and procedures to mitigate cyber attacks.

 Additionally, OCIE has periodically released findings from their examinations, and their most recent document request list for cybersecurity highlights particular areas of concern, which include:

  • Governance & Risk Assessment, requiring current, tailored processes with senior management (including CISO positions) and board involvement.
  • Access rights and controls, across, within and without the enterprise including credentialing, access tracking, and BOYD (bring your own device) issues.
  • Data loss prevention, including patch management, system configuration, and outbound communications, with special emphasis on personally identifiable information.
  • Vendor management, implementing due diligence of, and downstream compliance controls over, third-party providers.
  • Training of employees and vendors.
  • Incident response plans and data protection priorities.

Firms’ should take a new look at their policies and procedures to ensure that they address these key areas of focus in particular detail. As the Risk Alert indicates, many of the exams will be brought onsite to provide an in-depth view of the firms’ business operations: “Examiners will gather information on cybersecurity-related controls and will also test to assess implementation of certain firm controls.”

Practical First Steps

The National Institute of Standards and Technology (NIST) has created an approach for firms of all sizes to improve their cyber protections. The framework, which was developed in collaboration with SIFMA, specifically includes a strategic overview of cybersecurity policies, written from a business context that allows both technical and non-technical individuals to discuss the topic. The Framework is comprised of five functional categories:

NIST Cybersecurity Framework

Function

Summary Description

Identify

Identification of at-risk data

Assess the threat to and vulnerability of existing infrastructure

Understand all devices connected to the network and network structure

 

Protect

Limit network access to authorized users and devices

Educate all users on cybersecurity awareness and risk management

Employ programs and services that secure data and networks (e.g. firewalls, file encryption, password protection, data backups)

 

Detect

Exercise network monitoring to detect threats in a timely manner

Evaluate threat and understand potential impact

Look for anomalies in physical environment among users, including presence of unauthorized users or devices

 

Respond

Contain and mitigate the event to prevent further damage

Coordinate with stakeholders to execute a response plan. Once detected, notify proper authorities

Evaluate response effort to improve response plan

 

Recover

Execute recovery systems to restore systems and data

Update response plan with lessons learned

Resume business activities with internal and external stakeholders and manage public relations

In order to cooperatively tackle the issue of cybersecurity across the financial industry, SIFMA strongly recom­mends participating in the Financial Services - Information Sharing and Analysis Center (FS-ISAC). The FS-ISAC provides financial services firms a platform to share up-to-date threat information and best practices to mitigate these threats.

Given the increasing and evolving threats, all firms must proactively and continuously work to include cybersecurity preparedness in all aspects of their compliance programs.