Locke Lord QuickStudy: New Round of SEC Cybersecurity Examinations of Financial Service Firms and Their Cyber Controls

FUNDamentals™ Series
Locke Lord LLP
September 22, 2015

The Office of Compliance Inspections and Examinations (the OCIE) has just published a new Risk Alert on cyber risks and precautions identifying specific areas it will be focusing on during the second round of examinations of brokerage and advisory firms this year.

In an appendix attached to the Risk Alert, the OCIE lists documents and materials each firm should maintain. These include board minutes and briefing materials on cyber risks and planning, periodic risk assessments, data mapping of personal information, and relevant third party vendor management policies.

In this second round of examinations, examiners will continue to gather information on cybersecurity-related controls and will assess what progress firms are making on cybersecurity. In this Risk Alert, the OCIE noted six areas of focus and provided items to consider for each area, which are summarized below:

Governance and Risk Assessment

  • Policies and procedures relating to the protection of customer or client records and information;
  • Board minutes and briefing materials regarding
    • cyber-related risks 
    • cybersecurity incident response planning, and
    •  actual cybersecurity incidents;
  • Information regarding the firm’s chief information security officer;
  •  Information regarding the firm’s periodic risk assessments to identify cybersecurity threats, vulnerabilities, and potential compliance consequences; and
  • Information regarding the firm’s vulnerability scans and related findings together with any responsive action taken.

Access Rights and Controls
  • Policies regarding access by unauthorized persons to firm network resources;
  • Firm use of multi-factor authentication for employees and customers;
  • Policies and procedures related to log-in attempts, log-in failures, lockouts, and unlocks or resets for perimeter-facing systems and information; 
  • Policies regarding devices used to access the firm’s systems externally; and
  • Information related to any internal audit that covered access rights and controls.

Data Loss Prevention
  • Policies related to enterprise data loss prevention and data classification;
  • Information regarding data mapping with particular emphasis on understanding information ownership, and
  • Policies related to monitoring exfiltration and unauthorized distribution of sensitive information.

Vendor Management
  • Policies related to third party vendors addressing contractual terms, supervision, monitoring, access control;
  • Policies regarding risk assessments, risk management, and performance measures required of vendors;
  • Information relating to how the firm handles its relationships with vendors providing cybersecurity and other IT-related services; and
  • Information regarding any written contingency plans the firm has with its vendors

  • Information concerning the training provided to employees and vendors regarding information security and risks, including:
    • the dates of such trainings
    • the training method, and
    • and the groups participating in the trainings. 

Incident Response
  • A business continuity plan addressing the mitigation of the effects of a cybersecurity incident and/or a plan of recovery;
  • The process for running tests or exercises of the business continuity plan, including the frequency of such tests and their results;
  • Information regarding system-generated alerts related to the loss of sensitive information;
  • Information regarding the discovery process, escalation, and any responsive remediation efforts taken with regard to any incidents of unauthorized internal or external distributions of personally identifiable information or access of such unauthorized access of firm systems; and
  • Information regarding the amount of any actual client losses associated with cyber incidents, as well as any amount of client losses reimbursed by the firm or insurance claims related to cyber events which were filed.

Although these areas are designated by the OCIE as of particular importance, examiners may select additional items to review during the course of the examination.

The full text of the OCIE’s Risk Alert can be found here.

As we have in the past, we will continue to monitor these issues and will provide future client updates. This QuickStudy is for guidance only and is not intended to be a substitute for specific legal advice. If you would like more information on the matters discussed here, please contact the authors.