What Broker-Dealers and RIAs Should Know About SEC Cyber Security Exams

When the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) announced Examination Priorities for 2014, it was clear that the agency has increased its focus on cyber security. For broker-dealers and registered investment advisors (RIAs), trying to comply with examination requirements will likely require a robust cyber security infrastructure.

Specifically, the OCIE cyber security examination will focus more closely on cyber security governance; identification of risk; the protection of information and networks; and risks associated with remote customer access, fund transfer requests, and vendors and other third parties. Additionally, the examination will look at firms’ past experience with cyber security threats and their ability to detect unauthorized activity.

For broker dealers and RIAs, compliance begins with understanding cyber threats faced by their organizations and determining whether there are written information security programs in place and personnel on staff or qualified outside vendors who can implement and regularly evaluate those programs. To help you determine how prepared your entity is for the SEC cyber security examination, consider the following questions:

• Do you regularly perform risk assessments that include cyber security, technology procedures and physical threats? Do those assessments include online account access platforms, if any?
• Do you document your written business continuity plan? Have you updated it to include cyber security threats?
• Does your cyber insurance adequately cover your firm’s risk?
• Do you encrypt customer data both at rest (in storage) and in motion (transmission)?
• Have you performed a vulnerability or penetration test?
• Have you identified procedures and trained employees to authenticate any customers who use email requests to transfer customer funds?
• Have all third-party service providers with access to personal information about your firm been identified? Are compliance contracts in effect with those providers?
• Have you identified all users and vendors with a business need for remote access? Do you control that access?
• Do you have a “red flags” program in place? Are employees trained on firm protocol for that program?

If you answered no to any of these questions, your firm may not be in compliance with SEC requirements. Kaufman Rossin can perform a cyber security readiness assessment and help your firm identify policies, procedure and processes enhancements prior to your examination.

For more information about what to expect from the upcoming cyber security exams and how you can prepare, contact me or another member of Kaufman Rossin’s risk advisory services team.