09:00 AM
Steve Schoener
Steve Schoener

The SEC & Cybersecurity: Expectations & Exam Prep for Investment Firms

The current SEC questionnaire asks firms for details about their technology infrastructure, operational policies, and procedures as they relate to cybersecurity.

It's no secret that cybersecurity has dominated the headlines of late as security threats and vulnerabilities continue to pose risks to businesses and individuals around the world. In the fast-paced world of financial services, firms are even more likely to become victims of cyberattacks -- either as a result of external hackers or internal threats. The Securities and Exchange Commission (SEC) has taken a proactive approach to cybersecurity in 2014 -- first by holding an informative roundtable examining the landscape and second by issuing a risk alert in April announcing that more than 50 firms will face security examinations in the near future.

As part of the announcement, the SEC provided firms with a seven-page document essentially mirroring a due diligence questionnaire or request for information. It asks firms to provide details about their technology infrastructure and operational policies and procedures as they relate to cybersecurity. The document is thorough, but it should be simple enough for firms to complete if they have a written information security plan (WISP) in place. Firms without a WISP will need to spend a significant amount of time gathering information to complete the questionnaire.

What information does the SEC want?
The document circulated by the SEC comprises several sections related to a firm's cybersecurity preparedness. The sections cover everything from identification of risks to protection of the firm's networks to detection of unauthorized activity and risks associated with vendors and other third parties. Though the document is comprehensive, the SEC's Office of Compliance Inspections and Examinations (OCIE) made it clear it was not necessarily all inclusive of the information the agency may seek from firms during the exam process.

Without getting into specific questions and answers, this is what the SEC is seeking from registered firms:

  • An assertion that firms are conducting regular risk assessments to identify cybersecurity threats, as well as ongoing penetration testing and intrusion detection and prevention to thwart future attacks
  • A dedicated person or persons responsible for management of cybersecurity, including clear roles and responsibilities that are outlined in regards to ongoing monitoring of firm networks and infrastructure, as well as incident response management in the event of a security issue
  • Details in the form of strict policies regarding access control and acceptable use in order to ensure internal employees cannot access data and systems they are not authorized to access
  • Policies and procedures for working with third-party vendors that may be authorized to access the firm's network
  • Identification and descriptions of any previous security incidents or attacks and the effects of such occurrences (malware detection, unauthorized access, hardware or software malfunctions, employee misconduct, etc.)

With the implementation of a WISP, investment firms can provide additional details to the SEC (and investors) about their cybersecurity preparedness. A WISP will identify administrative and technical safeguards for a firm, including:

  • What is considered confidential data
  • Where that data is located and how it is protected
  • Who has access to confidential data
  • Roles and responsibilities
  • Internal and external communication procedures
  • Assessment and evaluation of technical safeguards

Financial services firms should be looking to leverage their IT/security staffs or outsourced technology providers for help with completing the questionnaire and ensuring the necessary protocols are in place in the event the SEC comes calling. Additionally, administrators may prepare by obtaining sample answers to the SEC's cybersecurity questionnaire and determining how to identify specific risks from a recent Eze Castle Integration educational webinar on how to assess a firm's compliance with SEC guidelines and exam readiness. However, employing a WISP is the most effective way of meeting these demands, and it demonstrates that a firm takes cybersecurity seriously -- something the SEC certainly wants to see.

Steve Schoener is vice president of client technology at Eze Castle Integration, a leading provider of IT solutions and private cloud services to more than 650 alternative investment firms around the world. He is responsible for driving technology growth through Eze Castle ... View Full Bio
More Commentary
A Wild Ride Comes to an End
Covering the financial services technology space for the past 15 years has been a thrilling ride with many ups as downs.
The End of an Era: Farewell to an Icon
After more than two decades of writing for Wall Street & Technology, I am leaving the media brand. It's time to reflect on our mutual history and the road ahead.
Beyond Bitcoin: Why Counterparty Has Won Support From Overstock's Chairman
The combined excitement over the currency and the Blockchain has kept the market capitalization above $4 billion for more than a year. This has attracted both imitators and innovators.
Asset Managers Set Sights on Defragmenting Back-Office Data
Defragmenting back-office data and technology will be a top focus for asset managers in 2015.
4 Mobile Security Predictions for 2015
As we look ahead, mobility is the perfect breeding ground for attacks in 2015.
Register for Wall Street & Technology Newsletters
Stressed Out by Compliance, Reputational Damage & Fines?
Stressed Out by Compliance, Reputational Damage & Fines?
Financial services executives are living in a "regulatory pressure cooker." Here's how executives are preparing for the new compliance requirements.