In January 2014, the Securities and Exchange Commission (SEC) announced that its Examination Priorities for 2014 will focus on technology, including cybersecurity preparedness. As part of the SEC’s focus, on April 15, 2014, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert to provide broker-dealers (BDs) and registered investment advisors (RIAs) with additional information regarding the SEC’s initiative to assess cybersecurity preparedness.
The SEC’s OCIE cybersecurity initiative is designed to assess cybersecurity preparedness in the securities industry and obtain information about the industry’s recent experiences with certain types of cyber threats. As part of SEC’s initiative, the OCIE’s 2014 examinations of BDs and RIAs will focus on risks associated with the following:
- Cybersecurity governance and identification
- Protection of networks and information
- Remote customer access and funds transfer
- Vendors and other third parties
- Detection of unauthorized activity, and
- Experiences with cybersecurity threats.
To prepare for the OCIE’s 2014 examinations, legal and compliance staff for BDs and RIAs should (i) review their existing policies and procedures relating to cybersecurity, data privacy and identity theft to determine if they are responsive to the risks outlined in the OCIE’s Risk Alert, (ii) assess their supervisory, compliance and/or other risk management systems related to these risks, such as those issued by the National Institute of Standards and Technology or the International Organization for Standardization, and (iii) make any changes, as may be appropriate, to address or strengthen such systems.