New National Exam Program Risk Alert

April 24, 2014, Justin Orcutt, Regional Sales Manager

In case you missed the most recent National Exam Program Risk Alert, you might want to head over to their website and determine what this may mean for you and your company. Since this may be a topic at your next board meeting, you should be prepared to answer any potential questions. Your board will want to know the status and effectiveness of your cybersecurity because the SEC will now be conducting examinations of more than 50 registered broker-dealers and registered investment advisers.
The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) hosted a Cybersecurity Roundtable on March 26, 2014 to discuss the importance of protecting consumer data and the security of market systems. From this meeting, the OCIE has developed the ‘Cybersecurity initiative’, which is designed to assess cybersecurity preparedness in the securities industry and collect information about certain cyber threats.
The examinations will focus on cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.
The SEC provided an appendix of questions that may be used during the examinations within the National Exam Program document. While the appendix is not all inclusive it does include 6 main areas that you should already have addressed: 

  1. Identification of Risks/Cybersecurity Governance
  2. Protection of Firm Networks and Information
  3. Risks Associated with Remote Customer Access and Funds Transfer Requests
  4. Risks Associated with Vendors and Other Third Parties
  5. Detection of Unauthorized Activity
  6. And other which includes the identification of best practice controls for your company

In addition to the appendix provided in the National Exam Program there is also additional information you begin to compile in case you are examined or if your Board comes looking. For a list of information sought please visit:
An important takeaway from all of this is the fact that cyber risk is real and is effecting our critical infrastructure. As a Financial Services organization, you need to protect critical assets from cyber threats. A good starting point for organizations is looking at NIST 800-30 for a guideline for security and privacy controls. If you are concerned about the status of your information security assurance and risk management programs please do not hesitate to reach out to Coalfire for additional guidance.

Justin Orcutt


Justin Orcutt — Regional Sales Manager

Recent Posts

Post Topics