OCIE’s Focus on 2015 Cybersecurity Examination Initiatives

Understanding OCIE’s 2015 Cybersecurity Examination Initiative

Following a string of high-profile cybersecurity incidents in recent years, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert in April of 2014 for relevant industries. The OCIE announced its intention to conduct examinations throughout the year to assess cybersecurity procedures and preparation in the securities industry.

In its summary report of those examinations, released in February of 2015, the OCIE stated that of those organizations it examined, 88 percent of the broker-dealers and 74 percent of the RIAs had experienced a cybersecurity incident recently.

The OCIE further announced that it planned to focus on cybersecurity compliance in its 2015 Examination Priorities. In September, the office released the 2015 Risk Alert providing compliance guidance for industry entities that might be subject to examination.

OCIE 2015 Cybersecurity Examination Initiative Priorities

OCIE examiners will pursue investigations into any area they deem necessary, but the 2015 Risk Alert highlights examination priorities in the following six primary areas:

1. Governance and Risk Assessment

The OCIE may examine whether companies have existing processes and procedures for cybersecurity and risk assessment. Examiners may also seek to determine whether a firm regularly reviews those procedures for efficacy and suitability to its own industry, along with how effectively high-level leadership is informed of, and participates in, those efforts.

The OCIE further highlights its intention to scrutinize compliance in areas regarding the following:

• Information security when dealing with third parties
• Software patching, especially regarding critical security updates
• Board minutes and briefing documents containing or related to sensitive information and cybersecurity
• A firm’s chief information security officer (CISO) or equivalent position
• The firm’s organizational structure as related to cybersecurity
• The firm’s procedures for risk assessment, proactive threat identification, penetration tests, and vulnerability scans

2. Access Rights and Controls

The examiners will emphasize cybersecurity risks stemming from access to systems and information, especially related to basic safeguards like multifactor authentication and prompt access adjustments following personnel changes.

The OCIE notes its intention to highlight concerns related to the following:

• Controls and safeguards for network segmentation and access levels across different security clearances
• Perimeter-facing procedures such as failed logins, password retrieval, dormant accounts, and unauthorized logins
• Network access from outside devices
• The firm’s documentation and dissemination of its cybersecurity procedures to all relevant users

3. Data Loss and Prevention

OCIE examiners will assess a firm’s procedures for data transferred outside of the network through emails or other data uploads.

Examiners may highlight procedures for the following:

• Identifying and preventing unauthorized data transfers
• Verifying the authenticity of requests to transfer funds
• Mapping data to verify information ownership and privileges
• Data classification and security levels

4. Vendor Management

As third-party vendors are a prominent source of cybersecurity incidents, examiners may focus on vendor management, including how vendors are chosen, vetted and monitored. Examiners may also ascertain whether a firm considers vendor security to be an integral component of its overall cybersecurity procedures.

The OCIE additionally highlights the importance of clear vendor contracts regarding security responsibilities, along with documentation for all related areas, and a firm’s contingency plans for dealing with vendor-related breaches.

5. Training

Security procedures are only as effective as the training received by relevant personnel, including third-party partners. Therefore, examiners may verify that such training is thorough, widespread, and well documented.

6. Incident Response

The OCIE will examine a firm’s policies and procedures for responding to incidents, including documentation of the same, along with how policies are adjusted (when appropriate) following those incidents.

Examiners may further highlight procedures related to the following:

• How cybersecurity fits into a firm’s business continuity plan
• A firm’s testing and drilling procedures for cybersecurity incidents and all data disasters
• System-generated alerts to automatically notify key personnel of potential incidents
• Actual customer losses related to cybersecurity incidents

Recommended Actions

Ultimately, the OCIE’s examination priorities reveal that it considers the cybersecurity status quo to be ill-suited to modern realities. Instead of a reactive, incident-based response, the OCIE wants firms to demonstrate that they have adopted a proactive, holistic stance regarding cybersecurity.

A firm’s default mindset should be that it is under threat from cyber-intrusions, and it should be able to demonstrate through robust documentation and actual practice that it is actively on alert for cybersecurity incidents.

To achieve this goal, a firm needs to ensure that it is working with an IT services provider that can serve as a full partner in security initiatives and procedures. Financial technology support partners can work with firms to establish, demonstrate and document its procedures in these four key areas:

1. Data Protection

A firm must be able to rank all data according to a risk hierarchy (low, medium, high) and operational priority. Cybersecurity procedures should be strengthened accordingly, with the highest risk and highest operational priority data being subject to robust, multi-layered safeguards.

2. Proactive Security

A firm should implement, document and demonstrate a clear commitment to vigilant, proactive monitoring of security risks. Relevant procedures should be a top priority for all related personnel, and the firm should have a clearly understood process for how cybersecurity incidents will be identified, addressed and mitigated at all levels of the organization.

3. Cyber-Perimeter

A firm should be able to demonstrate a clear understanding that its cyber-perimeter extends into the world of third parties, including vendors, partners and customers. Its procedures and practices for that outlying perimeter should be just as robust (if not more so) as its procedures for in-house data sites.

4. Documentation

Comments are closed.