The SEC’s New Cybersecurity Exam Alert – What Advisors Need To Know

The SEC has issued a new risk alert on cybersecurity that registered broker-dealers and investment advisors need to follow closely. The SEC’s Office of Compliance Inspections and Examinations pointed to six broad categories in the alert, which was released on September 15.

At a high level, the SEC is concerned with how firms handle governance and risk assessment; access rights and controls; data loss prevention; vendor management; training; and incident response. This isn’t just a collection of friendly tips – the alert includes a sample list of information the OCIE may review. The office is conducting a second round of
cybersecurity examinations to make sure firms are properly implementing the formalized procedures and controls they should already have in place.

The first round of exams was announced in April 2014 and the OCIE published findings from those exams in February. Technology available to financial firms, and to people capable of compromising financial firms, has evolved since the previous round of exams. So although a new round isn’t itself surprising, firms might be surprised at certain criteria the SEC will focus on as well as the level of detail the SEC will seek.

Justin Kapahi, technical director of the financial services practice at External IT, outlines what advisors and broker-dealers should be thinking about in light of the SEC’s recent cybersecurity risk alert.