The SEC continues to increase its focus on cybersecurity preparedness. As we have reported in prior blogs here and here, we believe that cybersecurity will become an increasingly important element of the SEC’s disclosure and enforcement efforts. Recent events show that the SEC is ramping up its efforts in the cybersecurity area, and we believe that all companies who are potentially affected by these SEC activities should pay special attention to their cybersecurity preparedness and should anticipate possible SEC action in this area.
The SEC’s most recent activity in the cybersecurity area involves registered broker-dealers and registered investment advisers. These entities are logical choices for a cybersecurity focus because of the large volume of confidential and very sensitive customer information that they hold. The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) announced this cybersecurity focus in an April 15, 2014 Risk Alert which stated that the SEC plans to mount an initiative to assess cybersecurity preparedness in the securities industry. The SEC had previously laid the groundwork for this initiative during a March 26, 2014 Cybersecurity Roundtable when Chair White stressed the vital importance of cybersecurity to our market system and consumer data protection. She also called for more public/private cooperation in strengthening cybersecurity preparedness. Other SEC participants at this Roundtable stressed the importance of gathering data and information regarding cybersecurity preparedness so that the SEC could determine what additional steps it should take in this area.
The OCIE’s cybersecurity initiative will assess cybersecurity preparedness in the securities industry and obtain data and information about the securities industry’s recent experiences with cyber threats and cybersecurity breaches. As part of this initiative, the OCIE announced that it will conduct examinations of more than 50 registered broker-dealers and registered investment advisers to obtain cybersecurity data and information and to assess the preparedness of these entities to defend against cyber threats. According to the Risk Alert, this investigation will focus on such things as cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.
The OCIE also took a fairly surprising step in this Risk Alert by issuing (in the Appendix to the Risk Alert) a sample list of the questions that OCIE investigators may ask when they conduct these cybersecurity investigations. This shows a real effort by the SEC to act cooperatively in this area and to attempt to forge more public/private cooperative efforts. Rather than surprising the companies that are the targets of such investigations, the OCIE is giving them helpful information up front that should substantially help them both in understanding what the OCIE is looking for and in evaluating their cybersecurity preparedness.
This list of potential questions is extensive, and it requests information about the respondent’s current cybersecurity preparedness and its experience with cybersecurity problems and situations such as the discovery of malware, denial of service attacks, extortion threats, and unauthorized network access. It appears that the OCIE is attempting to build a database at this point that will provide a valid picture of the current status of cybersecurity preparedness in the securities industry rather than identifying specific problem companies and situations. This is reminiscent of Senator Rockefeller’s September 2012 letter regarding cybersecurity preparedness sent to the CEO’s of Fortune 500 companies as described in my prior blog post.
FINRA had previously announced a similar investigative process in a January 2014 post on its website. In this post FINRA advised its member firms that it will investigate some of them to determine their level of protection from cyber threats.
It’s interesting to note that the United States Government Accountability Office issued a report on April 17, 2014 (just two days after the OCIE issued the Risk Alert) that was very critical of the SEC’s own internal cybersecurity practices. This must have been a bit embarrassing for the SEC. The FierceFinanceIT blog posted a good summary of this GAO report.
I believe that this is the first time that the SEC has included cybersecurity in a list of pending examinations. This supports the increased concern that this topic has generated with the SEC. This concern has likely been intensified by recent data breaches and cybersecurity problems at some of our largest companies.
This SEC/OCIE initiative focuses on registered broker dealers and investment advisers, but this is only one aspect of the SEC’s stronger focus on cybersecurity preparedness. Information about a company’s cybersecurity preparedness and its record of cybersecurity activities and problems will become a more critical aspect of all disclosure obligations. All reporting companies should review and evaluate the list of questions posed in the Risk Alert as these questions provide clear guidance regarding the SEC’s position on cybersecurity issues and probably areas of focus during an investigation. Registered broker dealers and investment advisers face immediate scrutiny, but all reporting companies will soon encounter additional focus on their cybersecurity situations.