Understanding the SEC OCIE’s Cybersecurity Examination Initiative

OCIE Focusing In On Cybersecurity Exam Initiatives:

The SEC’s top 6 priorities, and how working with an IT services provider ensures your firm is fully prepared

With the Securites and Exchange Comission’s Office of Compliance  release of cybersecurity summary reports and exam intiatives, many financial services firms are being forced to reprioritize cybersecurity in preparation for potential SEC exams.

Without the right technology services partner in place, the initiatives are daunting, and getting started can feel overwhelming. Just look at the numbers.

In its summary report of those examinations, released in February of 2015, the OCIE stated that of those organizations it examined, 88 percent of the broker-dealers and 74 percent of the RIAs had experienced a cybersecurity incident recently.

This year, OCIE followed up with the Examination Priorities for 2016, where it was confirmed that in 2016 emphasis will be placed on testing how firms have implemented the procedures and controls initially examined in 2015.

The OCIE further announced that it planned to focus on cybersecurity compliance in its 2015 Examination Priorities. Last September, the office released the 2015 Risk Alert providing compliance guidance for industry entities that might be subject to examination.

Following a string of high-profile cybersecurity incidents in recent years, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) kicked off the latest push when it released a Risk Alert in April of 2014 for relevant industries. Additionally, OCIE announced its intention to conduct examinations throughout the year to assess cybersecurity procedures and preparation in the securities industry.

In its summary report of those examinations, released in February of 2015, the OCIE stated that of those organizations it examined, 88 percent of the broker-dealers and 74 percent of the RIAs had experienced a cybersecurity incident recently.

The OCIE further announced that it planned to focus on cybersecurity compliance in its 2015 Examination Priorities. In September, the office released the 2015 Risk Alert providing compliance guidance for industry entities that might be subject to examination.

OCIE 2015 Cybersecurity Examination Initiative Priorities

OCIE examiners will pursue investigations into any area they deem necessary, but the 2015 Risk Alert highlights examination priorities in the following six primary areas:

1. Governance and Risk Assessment

The OCIE may examine whether companies have existing processes and procedures for cybersecurity and risk assessment. Examiners may also seek to determine whether your firm regularly reviews those procedures for efficacy and suitability to its own industry, along with how effectively high-level leadership is informed of, and participates in, those efforts.

The OCIE further highlights its intention to scrutinize compliance in areas regarding the following:

  • Information security when dealing with third parties
  • Software patching, especially regarding critical security updates
  • Board minutes and briefing documents containing or related to sensitive information and cybersecurity
  • Your firm’s chief information security officer (CISO) or equivalent position
  • The firm’s organizational structure as related to cybersecurity
  • The firm’s procedures for risk assessment, proactive threat identification, penetration tests, and vulnerability scans

2. Access Rights and Controls

The examiners will emphasize cybersecurity risks stemming from access to systems and information, especially related to basic safeguards like multifactor authentication and prompt access adjustments following personnel changes.

The OCIE notes its intention to highlight concerns related to the following:

  • Controls and safeguards for network segmentation and access levels across different security clearances
  • Perimeter-facing procedures such as failed logins, password retrieval, dormant accounts, and unauthorized logins
  • Network access from outside devices
  • The firm’s documentation and dissemination of its cybersecurity procedures to all relevant users

3. Data Loss and Prevention

OCIE examiners will assess your firm ‘s procedures for data transferred outside of the network through emails or other data uploads.

Examiners may highlight procedures for the following:

  • Identifying and preventing unauthorized data transfers
  • Verifying the authenticity of requests to transfer funds
  • Mapping data to verify information ownership and privileges
  • Data classification and security levels

4. Vendor Management

As third-party vendors are a prominent source of cybersecurity incidents, examiners may focus on vendor management, including how vendors are chosen, vetted and monitored. Examiners may also ascertain whether your firm considers vendor security to be an integral component of its overall cybersecurity procedures.

The OCIE additionally highlights the importance of clear vendor contracts regarding security responsibilities, along with documentation for all related areas, and your firm ‘s contingency plans for dealing with vendor-related breaches.

5. Training

Security procedures are only as effective as the training received by relevant personnel, including third-party partners. Therefore, examiners may verify that such training is thorough, widespread, and well documented.

6. Incident Response

The OCIE will examine your firm ‘s policies and procedures for responding to incidents, including documentation of the same, along with how policies are adjusted (when appropriate) following those incidents.

Examiners may further highlight procedures related to the following:

  • How cybersecurity fits into your firm ‘s business continuity plan
  • Your firm ‘s testing and drilling procedures for cybersecurity incidents and all data disasters
  • System-generated alerts to automatically notify key personnel of potential incidents
  • Actual customer losses related to cybersecurity incidents

Recommended Actions

Ultimately, the OCIE’s examination priorities reveal that it considers the cybersecurity status quo to be ill-suited to modern realities.

With PCIE’s release of the 2016 Examination Priorities for 2016, it was reiterated that the priority placed on cybersecurity compliance and controls will be further emphasized throughout the year.

This will most likely be seen through testing and the assessment of of how firms have implemented and integrated technical procedures and controls into their office technology environments.

Simply put, instead of a reactive, incident-based response, the OCIE wants firms to demonstrate that they have adopted a proactive, holistic stance regarding cybersecurity and workplace technology management.

Your firm ‘s default mindset should be that it is under threat from cyber-intrusions, and it should be able to demonstrate through robust documentation and actual practice that it is actively on alert for cybersecurity incidents.

To achieve this goal, your firm needs to ensure that it is working with an IT services provider that can serve as a full partner in security initiatives and procedures. Financial technology support partners can work with firms to establish, demonstrate and document its procedures in these four key areas:

1. Data Protection

Your firm must be able to rank all data according to a risk hierarchy (low, medium, high) and operational priority. Cybersecurity procedures should be strengthened accordingly, with the highest risk and highest operational priority data being subject to robust, multi-layered safeguards.

2. Proactive Security

Furthermore, your firm should implement, document and demonstrate a clear commitment to vigilant, proactive monitoring of security risks. Relevant procedures should be a top priority for all related personnel, and the firm should have a clearly understood process for how cybersecurity incidents will be identified, addressed and mitigated at all levels of the organization.

3. Cyber-Perimeter

Additionally, firms are expected to be able to demonstrate a clear understanding that its cyber-perimeter extends into the world of third parties, including vendors, partners and customers. Its procedures and practices for that outlying perimeter should be just as robust (if not more so) as its procedures for in-house data sites.

4. Documentation

And finally, your firm must be able to document and demonstrate any and every aspect of its cybersecurity procedures. A qualified financial IT services partner should be able to provide technology that can oversee such documentation, including generating it automatically when appropriate, and to ensure that your firm ‘s security measures will withstand OCIE audits.
 
While this influx of information can feel overwhelming at first, with help and guidance from the right San Franciso Bay Area Managed Services Provider, your firm can rest easy knowing you are well prepared and able to respond as necessary. Get your cybersecurity preparations started today by reaching out to the technology management team at Bay Computing for a free network assessment.

 

Comments are closed.

BAY COMPUTING

One Concord Center
2300 Clayton Road, Suite 1500
Concord, CA 94520

P 925.459.8500

F 925.459.8510

SEND US A MESSAGE