OCIE Risk Alert on Cybersecurity: SEC’s Office of Compliance Inspections and Examinations Announces Findings from its Cybersecurity Examination InitiativeSullivan & Cromwell LLP - February 5, 2015
On February 3, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) published a Risk Alert summarizing findings from its Cybersecurity Examination Initiative relating to broker-dealers and investment advisers, which was announced in April 2014. A copy of the Risk Alert is included as Annex A.
OCIE examined 106 firms to enhance its understanding of the ways broker-dealers and investment advisers address the legal, regulatory, and compliance issues associated with cybersecurity. Specifically, OCIE collected and analyzed information from the selected firms relating to their practices for identifying risks related to cybersecurity; establishing cybersecurity governance, including policies, procedures, and oversight processes; protecting firm networks and information; identifying and addressing risks associated with remote access to client information and funds transfer requests; identifying and addressing risks associated with vendors and other third parties; and detecting unauthorized activity. The examinations did not include a substantive review of any policies or procedures and did not assess their efficacy. As a consequence, the Risk Alert provides statistical data about the percentage of firms that responded affirmatively to questions on the examination, but does not yet provide guidance on the governance and risk management standards that may be applied to broker-dealers and investment advisers. Moreover, the Risk Alert does not categorize examination findings based on the size of the firm responding, because OCIE is “still reviewing” the data for “correlations between the examined firms’ preparedness and controls and their size, complexity, or other characteristics.”
Nonetheless, the Risk Alert provides high-level information about the processes of broker-dealers and investment advisers in addressing cybersecurity risks, information that may be useful for purposes of benchmarking. For example, the Risk Alert reports that