Cybersecurity and the Financial Services Industry

Justin Orcutt, Regional Sales Manager

2014 is the year that the US Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) is turning its focus to cybersecurity, a looming threat to any and all companies that utilize the internet. In case you missed my last post, back in March the OCIE hosted a Cybersecurity Roundtable to discuss the importance of protecting consumer data and the security of market systems following a steep increase in breaches by its members. According to Securities and Exchange Commissioner Luis Aguilar:

“Cybersecurity has become an important topic in both the private and public sectors, and for good reason. Law enforcement and financial regulators have stated publicly that cyber-attacks are becoming both more frequent and more sophisticated. Indeed, according to one survey, U.S. companies experienced a 42% increase between 2011 and 2012 in the number of successful attacks they experienced per week.”

OCIE’s first initiative launched in April, when it announced plans to examine and assess the preparedness of over 50 registered broker-dealers and asset managers for a cyber-attack. They would look for specific documentation, including:

  • An inventory of physical devices and systems, as well as software platforms and applications;
  • A copy of the organization's written information security policy;
  • Evidence of whether the organization conducts periodic risk assessments;
  • Evidence of whether cybersecurity roles and responsibilities have been explicitly assigned;
  • Practices and controls regarding the protection of networks and information utilized by the organization;

·         Evidence of whether the organization conducts or requires risk assessments of vendors and business partners;
·         Steps taken to detect unauthorized activity on networks and devices;
·         Updates on whether the organization experienced any type of cyber-incident.
The announcement was a call for asset managers to officially step up their cybersecurity. It’s been almost three months since the SEC released the OCIE Cybersecurity Initiative in the National Exam Program Risk Alert National Program, and since then asset management companies have been moving quickly to address Cybersecurity. The Cybersecurity Initiative has elevated the issues of cybersecurity out of IT and into the board room (finally). The management at these firms are now acting swiftly to assess their firms’ level preparedness to defend against a cyber-attack and improve their security posture.
The Cybersecurity Initiative is helping identify a baseline that all broker-dealers need to have to protect against a breach.  Awareness of the problem and a vision of the baseline, however, is only the first step to meeting the requirements of The Cybersecurity Initiative.
Coalfire has compiled a checklist to help those companies seeking to meet the guideline of The Cybersecurity Initiative:
1.       Find a partner firm that is familiar with your business to help you
2.       Quickly perform a review of your perimeter security via a penetration test
3.       Notify your audit committee of your timeline to be prepared for an SEC Audit
4.       Conduct a risk analysis
5.       Update policies and procedures
6.       Look to buy insurance (work with your partner to determine if it’s adequate for you)
7.       See attached guidance on how to help audit departments
Read Aguilar’s entire speech:$File/Aguilar%20and%20Cyber.pdf
Read the OCIE’s Risk Alert here:

Justin Orcutt


Justin Orcutt — Regional Sales Manager

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS