Business Man With CheckboxesSince January 2014, the Office of Compliance Inspections and Examinations (OCIE) within the SEC has made it a priority to examine the governance and supervision of information technology systems, operational capability, market access, information security, and preparedness to respond to sudden malfunctions and system outages of firms within the securities industry. Ever since, the OCIE has worked to provide additional information to increase understanding and awareness of the importance of mitigating cyber risks. To date, there have been three National Exam Program Risk Alerts, notifying firms of which aspects of their cybersecurity program will be reviewed and what the results were. To ensure you haven’t missed pertinent information regarding your compliance, here is an overview of the key focus areas in the newest alert:

  1. Governance and Risk Assessment—Examiners will review firm policies and procedures related to the protection of client and broker-dealer information, any applicable board minutes and briefing materials, and information regarding the owner of cybersecurity matters within the firm. Additionally, the firm’s organizational structure and their periodic risk assessment, penetration testing, and vulnerability scanning will be assessed.
  2. Access Rights and Controls—A thorough examination of the firm’s policies and procedures related to controlling unauthorized access to network resources and devices and user access restrictions, along with their implementation, will be performed. Likewise, examiners will evaluate procedures around authenticating requests for data transfers.
  3. Data Loss Prevention—Examiners will analyze the policies and procedures related to enterprise data loss prevention, data classification, and monitoring exfiltration and unauthorized distribution of sensitive information outside of the firm.
  4. Vendor Management—Firm policies and procedures on managing 3rd party vendor risks, especially vendor access to the firm’s network or data and how vendors are incorporated in the firms cybersecurity measures will be reviewed.
  5. Training—Examiners will look at information regarding training the firm provides to staff and vendors related to information security risks and how that training is administered.
  6. Incident Response—The firm’s business continuity plan and its cybersecurity incident response measures will be assessed along with the frequency of testing.

Your portal contains multiple resources to assist you with your cybersecurity compliance efforts; however, we do offer additional services to help you become audit-ready. If you haven’t already done so, contact your Customer Success representative about our Audit-Ready Package or for more information on how we can help your business be more cyber secure.