The Securities and Exchange Commission (SEC) has been making cybersecurity a priority in 2015. In February, the SEC released observations of its first round of cybersecurity examinations of broker-dealers and advisors, which assessed cybersecurity preparedness. The SEC has just announced its second round of examinations, which promises to focus on the assessment of how well procedures and controls have been implemented. The second round of examinations will focus on:
- Governance and Risk Assessment – which looks at regular evaluations in light of cybersecurity risks and the firm’s controls and processes. In addition, the OCIE may review the level of communication to, and involvement of, senior management and directors, showing a growing accountability for preparedness to the C-Level and Board
- Access Rights and Controls – with particular review on areas such as remote access and tiered access
- Data Loss Prevention – which is looking in particular at how the firm monitors the volume of content transferred outside of the firm by its employees or through third parties (such as by email attachments or uploads) and how the firm monitors for potentially unauthorized data transfers.
- Vendor Management – which will look at the firm’s practices and controls for vendor management (such as due diligence relating to vendor selection, monitoring and oversight, and contract terms), which was a high risk point identified in the first round of cybersecurity examinations
- Training – which will look for tailored training for both employees and vendors, as well as priorities for the data breach response plan. Training is given a high priority, as this area is considered a first line of defense.
- Incident Response – which will look at whether the firm has established policies, assigned roles, assessed system vulnerabilities and developed plans to address possible future incidents (including determining which firm data, assets and services warrant the most protection against attacks)
The SEC has released a document clearly outlining the expectation in all of the above areas. It is clear from this round of cybersecurity examinations that the financial services industry is under greater pressure than ever to strengthen its defences and to prove that policies, procedures and technologies are in place. Endpoint devices are currently a weak spot in data protection, introducing risk both from malware, as we’re seeing this week with the big Apple malware news, as well as a vector for direct access to the network. In a recent whitepaper, How Financial Services Firms Can Bolster Security by Leveraging Persistence Technology on the Endpoint, we discuss recent security trends in the industry and how Persistence technology by Absolute can play a role in data protection.