Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examination Sweep

  • Login to see the comments

  • Be the first to like this

Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examination Sweep

  1. 1. 1 | P a g e Information Security and Data Privacy Bulletin March 2, 2015 TAKEAWAYS FROM THE SEC CYBERSECURITY EXAMINATION SWEEP On February 3, 2015, the US Securities and Exchange Commission’s (the “SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert detailing its observations from cybersecurity examinations of 57 registered broker-dealers and 49 registered investment advisers.1 These examinations were undertaken in connection with OCIE’s examination priorities for 2014, which called for better understanding the state of cybersecurity preparedness at financial services organizations and public companies.2 In an April 15 Risk Alert announcing these examinations, OCIE provided an exhibit with sample questions on topics including cybersecurity governance, protection of networks and information, identifying and addressing risks associated with remote access to client information and funds transfer requests, identifying and addressing risks associated with vendors and third parties, and the detection of unauthorized activity.3 In addition to identifying the focus of OCIE’s examinations, these questions highlighted key cybersecurity issues for financial services industry participants (as well as other companies) to consider in evaluating the adequacy of their own information security and data privacy practices. OCIE’s findings suggest that financial services firms are taking substantially similar steps to protect their information technology systems and data. Overwhelmingly, firms were undertaking risk assessments, in order to identify cyber- threats, vulnerabilities, and business risks on a firm-wide basis. Nearly all firms had written information security policies and procedures that incorporated these assessments. Firms are also more attentive than in the past to their information technology systems, including maintaining up-to-date records of their hardware, operating systems, and applications; understanding how data flows through their network; and understanding their network topology, including every network access point. Firms that are not yet undertaking these tasks should consider commencing these steps in the near term. With respect to other cybersecurity measures, OCIE identified uneven adoption of certain practices in connection with cybersecurity governance, protection of networks and information, risks associated with vendors and third parties, and risks associated with remote access to client information and fund transfer requests. Cybersecurity Governance OCIE found that the firms’ written policies and procedures did not uniformly address breach incident response plans. In particular, OCIE identified a failure to incorporate corrective controls, which are designed to mitigate, if not halt, an ongoing breach, and recovery controls, which outline the steps necessary to return to normal operations. Firms should have detailed plans for addressing the administrative and technical challenges of handling a suspected or actual breach incident, as well as plans covering the recovery and restoration of critical systems and data. Moreover, firms should routinely test these plans prior to an actual breach incident. WOLLMUTHMAHER&DEUTSCHLLP 500FIFTHAVENUE,12THFLOOR,NEWYORK,NEWYORK10110(212)382-3300
  2. 2. 2 | P a g e Protection of Networks and Information Compliance testing is a critical aspect of every information security regime, because it ensures that the policies and procedures a firm has adopted to protect its information technology environment and data have been implemented and followed correctly. Although OCIE found a substantial majority of entities are conducting audits to determine adherence to their information security policies and procedures, a significant number of entities acknowledged suffering financial losses as a result of the transfer of client funds in response to fraudulent e-mail. In each of these cases, the root cause of these losses was attributed, by the firms involved, to the failure of employees to follow the firm’s identity authentication procedures. This strongly suggests that firms need to focus more attention on compliance issues, such as establishing a regime for documenting adherence to policies and procedures, and auditing for compliance. Risks Associated with Vendors and Third Parties Several prominent breaches have underscored the threat to firms’ information technology systems and data posed by vendors and third parties who are provided administrative or user credentials. A vendor whose own information technology systems are compromised can become a gateway into a firm’s information technology systems. Unsurprisingly, OCIE found that oversight of vendors and third parties is a weak point in firms’ cybersecurity efforts. Firms should consider cybersecurity when drafting contracts with vendors and third parties that are granted access to the firms’ information technology systems or provided access to the firms’ data, and where appropriate, incorporating terms that encourage cybersecurity and assign liability for cyber-incursions. For instance, firms should ensure that these parties are identifying cyber-threats to their information technology environment, instituting strong administrative controls, and detecting technological and physical vulnerabilities to their networks and systems. Once a relationship with a vendor or third party is established, firms must continue to mitigate the cybersecurity risks of these relationships throughout the relationship lifecycle. For instance, firms should address security training for vendors and third parties that are granted access to the firms’ information technology systems or data. Firms should also engage in the oversight necessary to ensure that vendors and third parties are upholding cybersecurity-related provisions in agreements. Risks Associated with Remote Access to Client Information and Fund Transfer Requests OCIE data indicate that only a small fraction of firms allocate responsibility for client losses resulting from cyber-incidents. Companies should consider the monetary ramifications of cyber-threats to clients, such as fraudulent e-mails seeking to transfer client funds, and devise polices that specifically address this issue. Although not done uniformly, an emerging practice among firms is to provide clients with guidelines for minimizing the cybersecurity risks associated with conducting on-line transactions with the firm. Firms should consider providing such information at the time a client’s on-line access is established, as well as on the firms’ websites. Firms should also consider periodically raising client awareness of good cyber-hygiene practices through e- mail or traditional mail reminders. Conclusion Although there is no one-size-fits-all approach to cybersecurity, to the extent that certain cybersecurity practices have been widely adopted, firms should look to tailor these practices to their business model and circumstances. All firms should also consider the gaps which exist between their administrative, technical, or physical controls and common practices as identified in the OCIE report, and determine how to address any gaps in their current cybersecurity regime.
  3. 3. 3 | P a g e For further information, please contact: Jason E. Glass (212) 382-3300 Frederick R. Kessler (212) 382-3300 Steven F. Fitzgerald (212) 382-3300 William F. Dahill (212) 382-3300 Ryan A. Kane (212) 382-3300 David H. Wollmuth (212) 382-3300 This memorandum is for general informational purposes and should not be regarded as legal advice. Furthermore, the information contained in this memorandum does not represent, and should not be regarded as, the view of any particular client of Wollmuth Maher & Deutsch LLP. Please contact your relationship partner if we can be of assistance regarding these important developments. The names and office locations of all of our partners, as well as additional memoranda, can be obtained from our website, The contents of this publication are for informational purposes only. Neither this publication nor the lawyers who authored it are rendering legal or other professional advice or opinions on specific facts or matters, nor does the distribution of this publication to any person constitute the establishment of an attorney-client relationship. Wollmuth Maher & Deutsch LLP assumes no liability in connection with the use of this publication. 1 See OCIE, “Cybersecurity Examination Sweep Summary” (February 3, 2015), available at: 2 See Examination Priorities for 2014, available at: priorities-2014.pdf, in which the OCIE’s National Examination Program (“NEP”) announced it would “examine governance and supervision of information technology systems, operational capability, market access, information security, and preparedness to respond to sudden malfunctions and system outages.” 3 See OCIE, “OCIE Cybersecurity Initiative” (April 15, 2014), available at: