New National Exam Program Risk Alert

Justin Orcutt, Regional Sales Manager

In case you missed the most recent National Exam Program Risk Alert, you might want to head over to their website and determine what this may mean for you and your company. Since this may be a topic at your next board meeting, you should be prepared to answer any potential questions. Your board will want to know the status and effectiveness of your cybersecurity because the SEC will now be conducting examinations of more than 50 registered broker-dealers and registered investment advisers.
The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) hosted a Cybersecurity Roundtable on March 26, 2014 to discuss the importance of protecting consumer data and the security of market systems. From this meeting, the OCIE has developed the ‘Cybersecurity initiative’, which is designed to assess cybersecurity preparedness in the securities industry and collect information about certain cyber threats.
The examinations will focus on cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.
The SEC provided an appendix of questions that may be used during the examinations within the National Exam Program document. While the appendix is not all inclusive it does include 6 main areas that you should already have addressed: 

  1. Identification of Risks/Cybersecurity Governance
  2. Protection of Firm Networks and Information
  3. Risks Associated with Remote Customer Access and Funds Transfer Requests
  4. Risks Associated with Vendors and Other Third Parties
  5. Detection of Unauthorized Activity
  6. And other which includes the identification of best practice controls for your company

In addition to the appendix provided in the National Exam Program there is also additional information you begin to compile in case you are examined or if your Board comes looking. For a list of information sought please visit:
An important takeaway from all of this is the fact that cyber risk is real and is effecting our critical infrastructure. As a Financial Services organization, you need to protect critical assets from cyber threats. A good starting point for organizations is looking at NIST 800-30 for a guideline for security and privacy controls. If you are concerned about the status of your information security assurance and risk management programs please do not hesitate to reach out to Coalfire for additional guidance.

Justin Orcutt


Justin Orcutt — Regional Sales Manager

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS