Regulatory Agencies Announce Results of Cybersecurity Initiatives
Editors’ Note: This article was originally published as a Mayer Brown Legal Update.
On February 3, 2015, the Office of Compliance Inspections and Examinations (“OCIE”) of the US Securities and Exchange Commission (“SEC”) and the Financial Industry Regulatory Authority (“FINRA”) announced the results of their cybersecurity examination initiatives. Other financial services regulators have undertaken similar examination initiatives as cybersecurity has become one of the leading concerns for the financial services industry.
Beginning in 2013 and over a one-year period, OCIE examined 57 broker-dealers and 49 investment advisers,4 focusing on: (1) identification of cybersecurity risks; (2) cybersecurity governance and policies and procedures; (3) network protection (e.g., external frameworks and standards, training, certain technical controls, certain metrics, training, and incident response plans (“IRPs”)); (4) remote access to client information and fund transfer requests (e.g., informational material for client cybersecurity awareness and policies for addressing clients’ cyber-related losses); (5) vendors and third-parties; and (6) detection of unauthorized activity (including technical controls for that purpose). It has been reported that OCIE plans to begin “Phase 2” of its cybersecurity examination initiative in fiscal year 2016, during which it will conduct on-site reviews of advisers and broker-dealers.
FINRA’s examination initiative consisted of: (1) a survey of 224 broker-dealers in 2011; (2) on-site reviews of broker-dealers in 2010 and 2011; and (3) targeted-examination letters (i.e., the sweep survey) that were sent to broker- dealers in 2014.7 FINRA’s cybersecurity initiative focused on the following topics: (1) cybersecurity governance (including written policies and procedures) and risk management; (2) cybersecurity risk assessments; (3) technical controls; (4) incident response planning; (5) vendor management; (6) staff training; (7) cyber intelligence and information sharing; and (8) cybersecurity insurance.
OCIE reported the results of its cybersecurity initiative in a “risk alert,” which offers observations of industry cybersecurity practices (without any recommendations), which investment advisers and broker-dealers can use to review and enhance their cybersecurity programs. FINRA’s report on its cybersecurity initiative provides observations regarding broker-dealers’ current cybersecurity practices, as well as recommendations from FINRA regarding effective cybersecurity practices for broker-dealers.
This update begins with a discussion of OCIE and FINRA’s views regarding the prevalence of cyber attacks. Next, we review the regulators’ observations and recommendations concerning: (1) cybersecurity policies and procedures; (2) cybersecurity governance; (3) frameworks and standards; (4) metrics; (5) identification of risks; (6) technical controls; (7) responding to cybersecurity incidents; (8) vendor management; (9) staff training; (10) promoting client cybersecurity awareness; (11) cyber intelligence and information sharing; and (12) cybersecurity insurance.
(To read the entire report, click here.)← A&A Report: 2015 – A Year for Surprises Member Initiated Survey Report: Brokerage Licenses →