SEC Risk Alert – Cyber Security

As if April 15th wasn’t bad enough? In addition to it being Tax Day, the U. S. Securities Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert discussing the planned sweep exams that will assess registrant cyber-security readiness and to gather information related to recent experiences with cyber threats.

This is not a surprise given the attention to this area recently.  Financial Industry Regulatory Authority (“FINRA”) spearheaded a cyber-security sweep earlier this year, the SEC 2014 exam priorities included a focus on technology, including cyber-security preparedness, and most recently, the SEC held a roundtable meeting where Chair Mary Jo White emphasized the “compelling need for stronger partnerships between the government and private sector” to address cyber threats.

Along with the Risk Alert, OCIE shared a sample document request letter that lists topics examiners will review including, but not limited to:

  • cyber-security governance,
  • identification and assessment of cyber-security risks,
  • protection of networks and information,
  • risks associated with remote customer access and fund transfer requests,
  • risks associated with vendors and other third parties,
  • detection of unauthorized activity, and
  • experiences with certain cyber-security threats.

We credit the SEC with providing the sample document request list, as this is not routine.  It adds great value, nonetheless, because it allows all investment firms, registered or not, to immediately assess their cyber-security risks using the SEC request list as a guide.