The U.S. Securities and Exchange Commission (SEC) is making cybersecurity a priority in 2014. It recently announced it will examine more than 50 registered broker-dealers and registered investment advisers to determine their cybersecurity preparedness. The agency will focus on cybersecurity governance, cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.
Firms will be asked to provide copies of various policies and plans, including written information security policies, business continuity of operations plans, cybersecurity incident response policies, procedures for verifying authenticity of e-mail requests seeking transfer of customer funds, policies for addressing responsibility for losses associated with attacks or intrusions, cybersecurity risk assessment questionnaires, and sensitive data segregation policies. The SEC will also be checking that firms have established reasonable retention periods and have a comprehensive data destruction policy.
A sample cybersecurity document request is available on the SEC’s website.