Cybersecurity Exams Part II: More Governance

Last year, the Securities and Exchange Commission raised a cloud of concern when it started its cybersecurity initiative aimed at broker/dealers, investment advisers and fund managers. Based on an interview in April it seems that initiative would continue into a phase 2. The SEC recently released its OCIE’s 2015 Cybersecurity Examination Initiative.

6870002408_abf6b5b6a8_z

According to the Risk Alert, the exams will focus on six areas:

  1. Governance and Risk Assessment
  2. Access Rights and Controls
  3. Data Loss Prevention
  4. Vendor Management
  5. Training
  6. Incident Response

As with Part I, the Risk Alert has a sample document request letter.

I will once again criticize the SEC’s approach to Cybersecurity.

Not because cybersecurity is not important. It is very important and a risk for all firms.

I criticize because the SEC has push cybersecurity as an anti-fraud requirement. SEC is saying that a failure to adequately address cybersecurity is effectively committing fraud on your investors. The big problem is that breaches cannot be prevented. We have seen that a dedicated hacker can get into any system given enough time. Cyber initiatives can only deter hacks. Once you are hacked, you’re not only facing the problems directly from the hack, but also the looming slap from the SEC that you defrauded your investors.

On top of that, the SEC is mostly accountants and lawyers and the compliance world is mostly accountants and lawyers. Cyber requires IT personnel. I suspect many SEC compliance personnel will stare at some of the items on the request letter and have little idea what the SEC is asking for.

Hand the request to your IT department and see what they can do with it.

Sources:

Anonymous Hacker by Brian Klug
CC BY SA

Author: Doug Cornelius

You can find out more about Doug on the About Doug page

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.