SEC Issues Risk Alert on Cybersecurity Initiative for Investment Advisers
April 24, 2014
On April 15, 2014, the Office of Compliance Inspections and Examinations of the Securities and Exchange Commission (the “SEC”) issued a Risk Alert regarding the SEC’s initiative to assess cybersecurity preparedness and threats in the securities industry, including examinations of more than 50 SEC-registered investment advisers and broker-dealers.
The full text of the Risk Alert is available here.
SEC-registered investment advisers should review the Risk Alert, assess their current level of preparedness for cybersecurity threats, and consider whether any changes need to be made to their current cybersecurity policies and procedures. The Risk Alert includes an appendix containing 28 sample information requests that the SEC may send to investment advisers as part of the SEC’s cybersecurity initiative.
In summary, the sample information requests in the Risk Alert appendix cover the following topics:
- cybersecurity governance, including the firm’s written information security policies, business continuity plan, and the identity of the firm’s Chief Information Security Officer;
- identification and assessment of cybersecurity risks, including the month, year, and frequency with which physical devices, software platforms, and networks are inventoried at the firm and detailed information regarding the firm’s periodic risk assessments;
- protection of networks and information, including whether the firm relies on any published cybersecurity risk management process standards and the practices and controls the firm utilizes to protect its networks;
- risks associated with remote customer access and funds transfer requests;
- risks associated with vendors and other third parties, including the policies and procedures the firm uses to assess cybersecurity risks of vendors and other third parties;
- detection of unauthorized activity; and
- experiences with certain cybersecurity threats.
The sample information requests in the Risk Alert also address compliance with the Identity Theft Red Flag Rules, which came into effect in 2013. For a summary of the Identity Theft Red Flags Rules, see our May 28, 2013 Foley Adviser.