A look at the SEC’s 2014 Cybersecurity Initiative, including a recent roundtable discussion and release of its National Exam Program Risk Alert.
On March 26th, 2014 the U.S. Securities and Exchange Commission hosted a cybersecurity roundtable designed to highlight the importance of Internet and data security for Wall Street firms.
The SEC press release announced a series of four panel discussions. Panel 1, on the ‘Cybersecurity Landscape,’ included representatives from the U.S. Department of the Treasury, the National Security Council, and the Department of Homeland Security, as well as several private-sector cybersecurity experts. Panel 2, on ‘Public Company Disclosure,’ featured speakers from a number of leading private firms as well as an advocate from the Brooklyn Law School. Panel 3, on ‘Market Systems,’ welcomed expert speakers on information security from the NASDAQ OMX, the Chicago Board Options Exchange, and the U.S. Treasury’s Office of Financial Institutions Policy. Panel 4 on ‘Broker-Dealers, Investment Advisers, and Transfer Agents,’ featured a collection of notable corporate investment managers and financial policy makers.
In her opening statement to the roundtable, chair Mary Jo White emphasized the crucial importance of maintaining the stability of our market system by protecting the integrity of client and customer data from external threats. White also recognized a “compelling need for stronger partnerships between the government and private sector” in order to achieve this goal.
The SEC followed the roundtable with the release of a nine-page National Exam Program Risk Alert as part of this ongoing initiative. The document was published by the SEC Office of Compliance Inspections and Examinations (OCIE) on April 15th, and has been regarded in the press as an “examination blueprint” on cybersecurity for Wall Street firms. The publication outlines what Fox Business News has dubbed a “road map” for the financial sector designed to assist in identifying and preventing future cybersecurity attacks. The Fox Business article also reports that the SEC plans on examining more than 50 companies in order to assess the state of their cybersecurity preparedness. Among its numerous recommendations, the Risk Alert asks companies to provide lists of any malware detected in their computer systems and to examine internal policies for handling ‘denial of service’ attacks and similar security breaches.
The Risk Alert document also features detailed sample questions and topics of concern that SEC investigators are likely to address when interviewing cybersecurity officers at the 50 plus firms it has chosen to examine. Areas of interest include policies for protecting customer information, the risks presented by remote customer access and fund transfers, company policies toward information passed on to third-party vendors, and mechanisms for monitoring and detecting unauthorized activity on a company’s servers.
This invigorated government response toward cybersecurity comes in the wake of several high-profile Internet security breaches suffered by national retailers, including Target Corporation and the Neiman Marcus Group, both of which reported cyber-attacks in the latter part of 2013.
Overall, this new push by the SEC indicates a vigorous effort by the governing body to determine the state of cybersecurity preparedness across the nation’s brokerages, asset-management firms, and other private financial institutions. With the roundtable and subsequent Risk Alert, the Commission looks to be encouraging continued education and increased cooperation between government and the private sector on this pressing subject. Additionally, the initiative points toward the SEC’s efforts to more clearly define the extent to which the U.S. government should play a future role in examining and disclosing the severity of private sector cybersecurity attacks.
For those wishing to examine in greater detail the OCIE’s National Exam Program Risk Alert, the full text is available here.