Compliance

09:00 AM
Steve Schoener
Steve Schoener
Commentary
50%
50%

The SEC & Cybersecurity: Expectations & Exam Prep for Investment Firms

The current SEC questionnaire asks firms for details about their technology infrastructure, operational policies, and procedures as they relate to cybersecurity.

It's no secret that cybersecurity has dominated the headlines of late as security threats and vulnerabilities continue to pose risks to businesses and individuals around the world. In the fast-paced world of financial services, firms are even more likely to become victims of cyberattacks -- either as a result of external hackers or internal threats. The Securities and Exchange Commission (SEC) has taken a proactive approach to cybersecurity in 2014 -- first by holding an informative roundtable examining the landscape and second by issuing a risk alert in April announcing that more than 50 firms will face security examinations in the near future.

As part of the announcement, the SEC provided firms with a seven-page document essentially mirroring a due diligence questionnaire or request for information. It asks firms to provide details about their technology infrastructure and operational policies and procedures as they relate to cybersecurity. The document is thorough, but it should be simple enough for firms to complete if they have a written information security plan (WISP) in place. Firms without a WISP will need to spend a significant amount of time gathering information to complete the questionnaire.

What information does the SEC want?
The document circulated by the SEC comprises several sections related to a firm's cybersecurity preparedness. The sections cover everything from identification of risks to protection of the firm's networks to detection of unauthorized activity and risks associated with vendors and other third parties. Though the document is comprehensive, the SEC's Office of Compliance Inspections and Examinations (OCIE) made it clear it was not necessarily all inclusive of the information the agency may seek from firms during the exam process.

Without getting into specific questions and answers, this is what the SEC is seeking from registered firms:

  • An assertion that firms are conducting regular risk assessments to identify cybersecurity threats, as well as ongoing penetration testing and intrusion detection and prevention to thwart future attacks
  • A dedicated person or persons responsible for management of cybersecurity, including clear roles and responsibilities that are outlined in regards to ongoing monitoring of firm networks and infrastructure, as well as incident response management in the event of a security issue
  • Details in the form of strict policies regarding access control and acceptable use in order to ensure internal employees cannot access data and systems they are not authorized to access
  • Policies and procedures for working with third-party vendors that may be authorized to access the firm's network
  • Identification and descriptions of any previous security incidents or attacks and the effects of such occurrences (malware detection, unauthorized access, hardware or software malfunctions, employee misconduct, etc.)

With the implementation of a WISP, investment firms can provide additional details to the SEC (and investors) about their cybersecurity preparedness. A WISP will identify administrative and technical safeguards for a firm, including:

  • What is considered confidential data
  • Where that data is located and how it is protected
  • Who has access to confidential data
  • Roles and responsibilities
  • Internal and external communication procedures
  • Assessment and evaluation of technical safeguards

Financial services firms should be looking to leverage their IT/security staffs or outsourced technology providers for help with completing the questionnaire and ensuring the necessary protocols are in place in the event the SEC comes calling. Additionally, administrators may prepare by obtaining sample answers to the SEC's cybersecurity questionnaire and determining how to identify specific risks from a recent Eze Castle Integration educational webinar on how to assess a firm's compliance with SEC guidelines and exam readiness. However, employing a WISP is the most effective way of meeting these demands, and it demonstrates that a firm takes cybersecurity seriously -- something the SEC certainly wants to see.

Steve Schoener is vice president of client technology at Eze Castle Integration, a leading provider of IT solutions and private cloud services to more than 650 alternative investment firms around the world. He is responsible for driving technology growth through Eze Castle ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
6/30/2014 | 12:23:19 PM
Re: Good to see
Jonathan, that's a great point! Vendors are linked to other vendors which could expose them to malware, viruses and other risks.  The security ecosystem can get very complicated for banks and vendors to map out.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
6/30/2014 | 12:13:21 PM
Re: Good to see
I'd expect that over time that concern around vendors will expand to the vendors' vendors. Regulators are going to want to see that firms have some handle on their entire IT ecosystem and understanding the vulnerabilities in that ecosystem is going to require that expansion.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
6/30/2014 | 10:30:25 AM
Re: Good to see
Yes, regulators can hold banks responsible for a weakness introduced by a third party vendor. Banks tend to have a function dedicated to vetting third party relationships to ensure vendors meet all the criteria. Now the increase in cybersecurity threats adds a whole new dimension. Third parties need to be transparent with firms about their cybersecurity preparations.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
6/30/2014 | 7:04:57 AM
Re: Good to see
Third-party technology partners have always gone through a rigorous evaluation by banks. The banks know that if something bad happens with a vendor, it's still the bank's responsibility. The SEC won't accept the excuse, "It's not our bank's fault, the vendor caused the problem." The SEC will tell the bank it should have done a better job evaluating their vendor (oh, and here is a big $$$ fine for not doing a thorough eval).
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
6/29/2014 | 11:06:43 PM
Re: Good to see
Investment firms can be vulnerable to a cyber hack or attack through their vendors.  This happened with Target's breach. I think the emphasis on third-party vendors is to make sure that investment advisers discuss cybsersecurity with their third party vendors and work together to close any gaps.
Becca L
50%
50%
Becca L,
User Rank: Author
6/29/2014 | 8:08:18 PM
Re: Good to see
This exam rightly targets the security of third party providers, and put those vendors in an interesting position of helping answer these exam questions. Perhaps it's forcing them to sit down and write down their protocols in a way that hadn't been addressed before. It's good to see the SEC initiating these conversations  (although hopefully they have already been had)
Becca L
50%
50%
Becca L,
User Rank: Author
6/29/2014 | 8:04:05 PM
Re: Good to see
Great article, Steve! Question: This exam is heavily focused on defense (or "vigilance") but what about a company's response ("resilience")?" Does the SEC have any kind of Exam Prep for how a company reacts to a security breach?
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
6/26/2014 | 9:12:26 AM
Re: Attacks on hedge funds - a new concern?
I agree. Large institutional investors are probably asking questions about cyber security preparedeness when they perform their due diligence on hedge funds. Consultants and outsourcing providers are definitely out there providing this kind of advice. In addition to Eze Castle Integration, Gravitas authored a white paper

Business continuity or disaster recovery was definitely a question on the list, but now cyber security is going to be added if it wasn't there already.

 
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
6/26/2014 | 8:22:56 AM
Re: Attacks on hedge funds - a new concern?
With the trillions of dollars that hedge fund have, it is a wise thing to monitor their cyber preparedness as well. True, it is another layer of complaince and regulation, but it is important. I imagine the larger institutional investors will add questions to their own audits of hedge funds, if they don't have those questions in their audits already.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
6/25/2014 | 12:38:18 PM
Attacks on hedge funds - a new concern?
The SEC's cybersecurity focused questionnaire and examination is very timely. Hedge funds have been a target of multiple cyber security attacks, according to a June 3rd Bloomberg article that spoke to several cybersecurity companies as sources.

http://www.bloomberg.com/news/2014-06-23/hedge-fund-hack-part-of-bigger-siege-cyber-experts.html

While hackers are broadly targeting the financial sector but hedge funds with $3 trillion in assets are on the radar screen. Since hedge funds tend to be small private entities, they may not be required to report these attacks as would a public company. Under the SEC guidelines, that would change for registered investment advisers.
Page 1 / 2   >   >>
More Commentary
Don't Let the Cloud Rain on Your Operations Strategy Parade
Avoid migrating large applications all at once to minimize risk during a cloud project.
Could Intel Lose Data Center Market Share to ARM Chips?
ARM chips could be an alternative for certain purposes in the datacenter, but many questions have to be answered before they pose a threat to Intel's market dominance.
Cost to Trade: Hey, Banks, Itís Time to Face the Music
Why is calculating the cost to trade so difficult for banks? The answer is as complex as the calculations themselves.
M&A Activity Will Continue to Grow in 2015
Data shows that the M&A market continues to improve, and forecasts indicate deal making will be healthy in 2015.
Chief Data Officers: Organization Strategy & Cultural Change
Chief data officers are new to the financial services C-suite, but they are facing a number of challenges, including the need for new data governance and execution strategies, staffing, and new organizational structures to enable cultural change.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video
Stressed Out by Compliance, Reputational Damage & Fines?
Stressed Out by Compliance, Reputational Damage & Fines?
Financial services executives are living in a "regulatory pressure cooker." Here's how executives are preparing for the new compliance requirements.