Cybersecurity and the Financial Services Industry

July 03, 2014, Justin Orcutt, Regional Sales Manager

2014 is the year that the US Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) is turning its focus to cybersecurity, a looming threat to any and all companies that utilize the internet. In case you missed my last post, back in March the OCIE hosted a Cybersecurity Roundtable to discuss the importance of protecting consumer data and the security of market systems following a steep increase in breaches by its members. According to Securities and Exchange Commissioner Luis Aguilar:

“Cybersecurity has become an important topic in both the private and public sectors, and for good reason. Law enforcement and financial regulators have stated publicly that cyber-attacks are becoming both more frequent and more sophisticated. Indeed, according to one survey, U.S. companies experienced a 42% increase between 2011 and 2012 in the number of successful attacks they experienced per week.”

OCIE’s first initiative launched in April, when it announced plans to examine and assess the preparedness of over 50 registered broker-dealers and asset managers for a cyber-attack. They would look for specific documentation, including:

  • An inventory of physical devices and systems, as well as software platforms and applications;
  • A copy of the organization's written information security policy;
  • Evidence of whether the organization conducts periodic risk assessments;
  • Evidence of whether cybersecurity roles and responsibilities have been explicitly assigned;
  • Practices and controls regarding the protection of networks and information utilized by the organization;

·         Evidence of whether the organization conducts or requires risk assessments of vendors and business partners;
·         Steps taken to detect unauthorized activity on networks and devices;
·         Updates on whether the organization experienced any type of cyber-incident.
The announcement was a call for asset managers to officially step up their cybersecurity. It’s been almost three months since the SEC released the OCIE Cybersecurity Initiative in the National Exam Program Risk Alert National Program, and since then asset management companies have been moving quickly to address Cybersecurity. The Cybersecurity Initiative has elevated the issues of cybersecurity out of IT and into the board room (finally). The management at these firms are now acting swiftly to assess their firms’ level preparedness to defend against a cyber-attack and improve their security posture.
The Cybersecurity Initiative is helping identify a baseline that all broker-dealers need to have to protect against a breach.  Awareness of the problem and a vision of the baseline, however, is only the first step to meeting the requirements of The Cybersecurity Initiative.
Coalfire has compiled a checklist to help those companies seeking to meet the guideline of The Cybersecurity Initiative:
1.       Find a partner firm that is familiar with your business to help you
2.       Quickly perform a review of your perimeter security via a penetration test
3.       Notify your audit committee of your timeline to be prepared for an SEC Audit
4.       Conduct a risk analysis
5.       Update policies and procedures
6.       Look to buy insurance (work with your partner to determine if it’s adequate for you)
7.       See attached guidance on how to help audit departments
Read Aguilar’s entire speech:$File/Aguilar%20and%20Cyber.pdf
Read the OCIE’s Risk Alert here:

Justin Orcutt


Justin Orcutt — Regional Sales Manager

Recent Posts

Post Topics