Compliance

09:00 AM
Steve Schoener
Steve Schoener
Commentary
50%
50%

The SEC & Cybersecurity: Expectations & Exam Prep for Investment Firms

The current SEC questionnaire asks firms for details about their technology infrastructure, operational policies, and procedures as they relate to cybersecurity.

It's no secret that cybersecurity has dominated the headlines of late as security threats and vulnerabilities continue to pose risks to businesses and individuals around the world. In the fast-paced world of financial services, firms are even more likely to become victims of cyberattacks -- either as a result of external hackers or internal threats. The Securities and Exchange Commission (SEC) has taken a proactive approach to cybersecurity in 2014 -- first by holding an informative roundtable examining the landscape and second by issuing a risk alert in April announcing that more than 50 firms will face security examinations in the near future.

As part of the announcement, the SEC provided firms with a seven-page document essentially mirroring a due diligence questionnaire or request for information. It asks firms to provide details about their technology infrastructure and operational policies and procedures as they relate to cybersecurity. The document is thorough, but it should be simple enough for firms to complete if they have a written information security plan (WISP) in place. Firms without a WISP will need to spend a significant amount of time gathering information to complete the questionnaire.

What information does the SEC want?
The document circulated by the SEC comprises several sections related to a firm's cybersecurity preparedness. The sections cover everything from identification of risks to protection of the firm's networks to detection of unauthorized activity and risks associated with vendors and other third parties. Though the document is comprehensive, the SEC's Office of Compliance Inspections and Examinations (OCIE) made it clear it was not necessarily all inclusive of the information the agency may seek from firms during the exam process.

Without getting into specific questions and answers, this is what the SEC is seeking from registered firms:

  • An assertion that firms are conducting regular risk assessments to identify cybersecurity threats, as well as ongoing penetration testing and intrusion detection and prevention to thwart future attacks
  • A dedicated person or persons responsible for management of cybersecurity, including clear roles and responsibilities that are outlined in regards to ongoing monitoring of firm networks and infrastructure, as well as incident response management in the event of a security issue
  • Details in the form of strict policies regarding access control and acceptable use in order to ensure internal employees cannot access data and systems they are not authorized to access
  • Policies and procedures for working with third-party vendors that may be authorized to access the firm's network
  • Identification and descriptions of any previous security incidents or attacks and the effects of such occurrences (malware detection, unauthorized access, hardware or software malfunctions, employee misconduct, etc.)

With the implementation of a WISP, investment firms can provide additional details to the SEC (and investors) about their cybersecurity preparedness. A WISP will identify administrative and technical safeguards for a firm, including:

  • What is considered confidential data
  • Where that data is located and how it is protected
  • Who has access to confidential data
  • Roles and responsibilities
  • Internal and external communication procedures
  • Assessment and evaluation of technical safeguards

Financial services firms should be looking to leverage their IT/security staffs or outsourced technology providers for help with completing the questionnaire and ensuring the necessary protocols are in place in the event the SEC comes calling. Additionally, administrators may prepare by obtaining sample answers to the SEC's cybersecurity questionnaire and determining how to identify specific risks from a recent Eze Castle Integration educational webinar on how to assess a firm's compliance with SEC guidelines and exam readiness. However, employing a WISP is the most effective way of meeting these demands, and it demonstrates that a firm takes cybersecurity seriously -- something the SEC certainly wants to see.

Steve Schoener is vice president of client technology at Eze Castle Integration, a leading provider of IT solutions and private cloud services to more than 650 alternative investment firms around the world. He is responsible for driving technology growth through Eze Castle ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
6/25/2014 | 9:37:00 AM
Good to see
Although firms face a ton of other regulations and compliance audits, it is good to see they are also being monitored and evaluated for cyber security. Law enforcement cyber experts are worried that cyber criminals will target the markets next. And once they disrupt the markets, they will attempt to profit during the resulting chaos. Hopefully the SEC security audits help make the industry's defences better and it is not just an excercise in additional (and costly) compliance and audit sessions.
andrewboon2739
50%
50%
andrewboon2739,
User Rank: Apprentice
6/25/2014 | 10:01:28 AM
Right Step
Good  Initiative, with the risks posed by issues related to cyber security increasing this is a step in the right direction regulating cyber security is a sure way of ensuring sensitive data is safe ,  I work for McGladrey , join us for a webcast outlining the latest on cybersecurity in financial services and what you need to know to be ready for the Office of Compliance, Inspections and Examinations (OCIE's) new cybersecurity initiative @ http://events.mcgladrey.com/CyberSecurityWebcast070914  

 
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
6/25/2014 | 12:38:18 PM
Attacks on hedge funds - a new concern?
The SEC's cybersecurity focused questionnaire and examination is very timely. Hedge funds have been a target of multiple cyber security attacks, according to a June 3rd Bloomberg article that spoke to several cybersecurity companies as sources.

http://www.bloomberg.com/news/2014-06-23/hedge-fund-hack-part-of-bigger-siege-cyber-experts.html

While hackers are broadly targeting the financial sector but hedge funds with $3 trillion in assets are on the radar screen. Since hedge funds tend to be small private entities, they may not be required to report these attacks as would a public company. Under the SEC guidelines, that would change for registered investment advisers.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
6/26/2014 | 8:22:56 AM
Re: Attacks on hedge funds - a new concern?
With the trillions of dollars that hedge fund have, it is a wise thing to monitor their cyber preparedness as well. True, it is another layer of complaince and regulation, but it is important. I imagine the larger institutional investors will add questions to their own audits of hedge funds, if they don't have those questions in their audits already.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
6/26/2014 | 9:12:26 AM
Re: Attacks on hedge funds - a new concern?
I agree. Large institutional investors are probably asking questions about cyber security preparedeness when they perform their due diligence on hedge funds. Consultants and outsourcing providers are definitely out there providing this kind of advice. In addition to Eze Castle Integration, Gravitas authored a white paper

Business continuity or disaster recovery was definitely a question on the list, but now cyber security is going to be added if it wasn't there already.

 
Becca L
50%
50%
Becca L,
User Rank: Author
6/29/2014 | 8:04:05 PM
Re: Good to see
Great article, Steve! Question: This exam is heavily focused on defense (or "vigilance") but what about a company's response ("resilience")?" Does the SEC have any kind of Exam Prep for how a company reacts to a security breach?
Becca L
50%
50%
Becca L,
User Rank: Author
6/29/2014 | 8:08:18 PM
Re: Good to see
This exam rightly targets the security of third party providers, and put those vendors in an interesting position of helping answer these exam questions. Perhaps it's forcing them to sit down and write down their protocols in a way that hadn't been addressed before. It's good to see the SEC initiating these conversations  (although hopefully they have already been had)
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
6/29/2014 | 11:06:43 PM
Re: Good to see
Investment firms can be vulnerable to a cyber hack or attack through their vendors.  This happened with Target's breach. I think the emphasis on third-party vendors is to make sure that investment advisers discuss cybsersecurity with their third party vendors and work together to close any gaps.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
6/30/2014 | 7:04:57 AM
Re: Good to see
Third-party technology partners have always gone through a rigorous evaluation by banks. The banks know that if something bad happens with a vendor, it's still the bank's responsibility. The SEC won't accept the excuse, "It's not our bank's fault, the vendor caused the problem." The SEC will tell the bank it should have done a better job evaluating their vendor (oh, and here is a big $$$ fine for not doing a thorough eval).
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
6/30/2014 | 10:30:25 AM
Re: Good to see
Yes, regulators can hold banks responsible for a weakness introduced by a third party vendor. Banks tend to have a function dedicated to vetting third party relationships to ensure vendors meet all the criteria. Now the increase in cybersecurity threats adds a whole new dimension. Third parties need to be transparent with firms about their cybersecurity preparations.
Page 1 / 2   >   >>
More Commentary
SCI: A Whale of a Regulation
The SEC's Reg SCI weights in at a whopping 742 pages. Here is what you need to know about the oversized regulation.
One Size Fits Nobody in End User Services
How building profiles from employees' roles and behaviors can help optimize your end user services.
'Enlightened' Non-IT Execs More Likely To Run Secure Organization
Do senior executives understand their role in data security? On the whole, unsurprisingly, no.
No Screwups, Please, We’re Banks
Changing a bank's culture is not going to happen overnight, but having the right tools and levers in house will surely make a big difference over time.
You’re Doing BYOD Wrong: These Numbers Prove It
Almost 40% of users who connect personal mobile devices to corporate networks have no lock-screen mechanism set in place.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video
Stressed Out by Compliance, Reputational Damage & Fines?
Stressed Out by Compliance, Reputational Damage & Fines?
Financial services executives are living in a "regulatory pressure cooker." Here's how executives are preparing for the new compliance requirements.