They’re Baaaack . . . SECs Office of Compliance Inspections and Examinations Releases New Cybersecurity Risk Alert
Yesterday, the U.S. Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert describing OCIE’s 2015 cybersecurity exam initiative. [link to www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf]. As the Risk Alert notes, OCIE’s new cybersecurity initiative builds on information OCIE learned from its 2014 cybersecurity sweep, which examined whether securities firms had taken basic steps to create and implement a cybersecurity program. [link to http://www.sutherland.com/NewsCommentary/Legal-Alerts/170000/Legal-Alert-SEC-Releases-Results-of-2014-Cybersecurity-Exam-Sweep]. However, while OCIE’s new cyber-exam expands on OCIE’s 2014 exam, OCIE will continue to focus on the basics. The Risk Alert notes, for example, that “public reports have identified cybersecurity breaches related to weaknesses in basic controls. As a result, examiners will gather information on cybersecurity-related controls and will also test to assess implementation of firm controls.” Nonetheless, the new Risk Alert also confirms recent anecdotal reports, which have suggested that OCIE will be digging deeper than it did in 2014.
OCIE’s Risk Alert reflects its dual focus on basic and in-depth cybersecurity practices. Notably, some of OCIE’s possible 2015 cyber-exam topics presume that firms have already taken some of the basic cybersecurity steps that OCIE examined in 2014. Topics from OCIE’s new Risk Alert include the following:
Governance and Risk Assessments
- Firm “[p]atch management practices,” which include how firms “prompt[ly]” install software patches
- If applicable, cyber-related materials provided to the firm’s board
- “Information regarding the firm’s Chief Information Security Officer (‘CISO’) or equivalent position”
- Information concerning firms’ “vulnerability scans and any related findings and responsive remediation efforts taken”
Access Rights and Controls
- Policies regarding access rights to the firm’s network (for both users and devices), including “[d]ocumentation evidencing the tracking of employee access rights, changes to those access rights, and any manager approvals for those changes”
- Whether and how firms use multi-factor authentication for employees and customers
- Firm policies related to “log-in attempts, log-in failures, lockouts, and unlocks or resets for perimeter-facing systems”
- Information concerning “any reviews of employee access rights and restrictions with respect to job-specific resources within the network and any related documentation”
Data Loss Prevention
- Firm policies “related to enterprise data loss prevention,” including data mapping and how firms “monitor data loss as it relates to [personally identifiable information] and access to customer accounts”
- Whether and how firms classify data based on risk level
- Firm policies “related to monitoring exfiltration and unauthorized distribution of sensitive information outside of the firm through various distribution channels,” such as e-mail and file transfer protocol (FTP) websites
Vendor Management
- Contractual terms related to vendor access to firm networks
- Vendor supervision, monitoring and access control
- How firms handle their relationships with vendors that provide cybersecurity and IT-related services
- Information addressing “written contingency plans the firm has with its vendors concerning, for instance, conflicts of interest, bankruptcy, or other issues that might put the vendor out of business or in financial difficulty”
Training
- Dates and topics of cyber-related training, as well as groups of participating employees
- Cyber-related training provided to vendors
Incident Response
- Firms’ tests of their incident response plans, “including the frequency of, and reports from, such testing”
- “[S]ystem-generated alerts related to data loss of sensitive information”
- The discovery process, escalation plan and remediation of various types of data breaches that firms may have experienced
- Information concerning “actual customer losses associated with cyber incidents”