This week the SEC's Office of Compliance Inspections and Examinations ("OCIE") announced a second-round of cybersecurity examinations, continuing its initiatives on the issue. The move follows the SEC's: March 2014 roundtable of regulators and industry representatives; April 2014 Risk Alert announcing a sweep exam to identify risks and issues; and February 2015 summary observations from that sweep. In this second round of exams, OCIE will engage in more testing directed at firms' implementation of key controls and procedures, especially:
- Governance & Risk Assessment, requiring current, tailored processes with senior management (including CISO positions) and board involvement.
- Access Rights & Controls, across, within and without the enterprise and including credentialing, access tracking, BOYD (bring your own device) issues.
- Data Loss Prevention, including patch management, system configuration, and outbound communications, with special emphasis on personally-identifiable information.
- Vendor Management, implementing due-diligence of, and downstream compliance controls over, third-party providers.
- Training of employees and vendors.
- Incident Response Plans and data protection priorities.
The announcement also includes a list of sample exam inquiries. The Securities Industry and Financial Markets Association ("SIFMA") offers business continuity services to the industry, including cybersecurity webinars and table-top exercises for small firms, cybersecurity insurance programs and the industry-wide periodic "Quantum Dawn" exercises simulating a street-wide cyber-attack. Those resources are described here: http://www.sifma.org/services/bcp/business-continuity-planning/
OCIE's September 15 announcement is here: http://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf Thomas K. Potter, III
(firstname.lastname@example.org) is a partner in the Securities Litigation Practice Group at Burr & Forman, LLP. Tom is licensed in Tennessee, Texas and Louisiana. He has over 29 years' experience representing financial institutions in litigation, regulatory and compliance matters. See attorney profile.
© 2015 by Thomas K. Potter, III (all rights reserved).