OCIE to Conduct More Cybersecurity Exams
This week the SEC's Office of Compliance Inspections and Examinations ("OCIE") announced a second-round of cybersecurity examinations, continuing its initiatives on the issue. The move follows the SEC's: March 2014 roundtable of regulators and industry representatives; April 2014 Risk Alert announcing a sweep exam to identify risks and issues; and February 2015 summary observations from that sweep. In this second round of exams, OCIE will engage in more testing directed at firms' implementation of key controls and procedures, especially:
  • Governance & Risk Assessment, requiring current, tailored processes with senior management (including CISO positions) and board involvement.
  • Access Rights & Controls, across, within and without the enterprise and including credentialing, access tracking, BOYD (bring your own device) issues.
  • Data Loss Prevention, including patch management, system configuration, and outbound communications, with special emphasis on personally-identifiable information.
  • Vendor Management, implementing due-diligence of, and downstream compliance controls over, third-party providers.
  • Training of employees and vendors.
  • Incident Response Plans and data protection priorities.
The announcement also includes a list of sample exam inquiries. The Securities Industry and Financial Markets Association ("SIFMA") offers business continuity services to the industry, including cybersecurity webinars and table-top exercises for small firms, cybersecurity insurance programs and the industry-wide periodic "Quantum Dawn" exercises simulating a street-wide cyber-attack. Those resources are described here: http://www.sifma.org/services/bcp/business-continuity-planning/ OCIE's September 15 announcement is here: http://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf Thomas K. Potter, III (tpotter@burr.com) is a partner in the Securities Litigation Practice Group at Burr & Forman, LLP. Tom is licensed in Tennessee, Texas and Louisiana. He has over 29 years' experience representing financial institutions in litigation, regulatory and compliance matters. See attorney profile. © 2015 by Thomas K. Potter, III (all rights reserved).
Jump to Page
Arrow icon Top

Contact Us

We use cookies to improve your website experience, provide additional security, and remember you when you return to the website. This website does not respond to "Do Not Track" signals. By clicking "Accept," you agree to our use of cookies. To learn more about how we use cookies, please see our Privacy Policy.

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.