OCIE Risk Alert on Cybersecurity: SEC’s Office of Compliance Inspections and Examinations Announces Findings from its Cybersecurity Examination Initiative

Sullivan & Cromwell LLP - February 5, 2015

On February 3, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) published a Risk Alert summarizing findings from its Cybersecurity Examination Initiative relating to broker-dealers and investment advisers, which was announced in April 2014.  A copy of the Risk Alert is included as Annex A.

OCIE examined 106 firms to enhance its understanding of the ways broker-dealers and investment advisers address the legal, regulatory, and compliance issues associated with cybersecurity.  Specifically, OCIE collected and analyzed information from the selected firms relating to their practices for identifying risks related to cybersecurity; establishing cybersecurity governance, including policies, procedures, and oversight processes; protecting firm networks and information; identifying and addressing risks associated with remote access to client information and funds transfer requests; identifying and addressing risks associated with vendors and other third parties; and detecting unauthorized activity.  The examinations did not include a substantive review of any policies or procedures and did not assess their efficacy.  As a consequence, the Risk Alert provides statistical data about the percentage of firms that responded affirmatively to questions on the examination, but does not yet provide guidance on the governance and risk management standards that may be applied to broker-dealers and investment advisers.  Moreover, the Risk Alert does not categorize examination findings based on the size of the firm responding, because OCIE is “still reviewing” the data for “correlations between the examined firms’ preparedness and controls and their size, complexity, or other characteristics.”

Nonetheless, the Risk Alert provides high-level information about the processes of broker-dealers and investment advisers in addressing cybersecurity risks, information that may be useful for purposes of benchmarking.  For example, the Risk Alert reports that

only a small proportion of the broker-dealers (11%) and the advisers (4%) reported incidents in which an employee or other authorized user engaged in misconduct resulting in the misappropriation of funds, securities, sensitive client, or firm information, or in damage to the firms’ networks.
A firm that has experienced such conduct may wish to review the efficacy of its systems intended to prevent misappropriation of data by employees and the adequacy of its employee training.  Conversely, where the Risk Alert states that most or almost all firms surveyed have taken an action (e.g., the “vast majority” have adopted written information security policies), a firm should do the same or memorialize its determination that such action was not necessary in the firm’s particular circumstances.