SlideShare ist ein Scribd-Unternehmen logo
1 von 3
Downloaden Sie, um offline zu lesen
1 | P a g e
Information Security and Data Privacy Bulletin
March 2, 2015
TAKEAWAYS FROM THE SEC CYBERSECURITY EXAMINATION SWEEP
On February 3, 2015, the US Securities and
Exchange Commission’s (the “SEC”) Office of
Compliance Inspections and Examinations
(“OCIE”) issued a Risk Alert detailing its
observations from cybersecurity examinations of
57 registered broker-dealers and 49 registered
investment advisers.1 These examinations were
undertaken in connection with OCIE’s
examination priorities for 2014, which called for
better understanding the state of cybersecurity
preparedness at financial services organizations
and public companies.2 In an April 15 Risk Alert
announcing these examinations, OCIE provided
an exhibit with sample questions on topics
including cybersecurity governance, protection of
networks and information, identifying and
addressing risks associated with remote access to
client information and funds transfer requests,
identifying and addressing risks associated with
vendors and third parties, and the detection of
unauthorized activity.3 In addition to identifying
the focus of OCIE’s examinations, these
questions highlighted key cybersecurity issues
for financial services industry participants (as
well as other companies) to consider in
evaluating the adequacy of their own information
security and data privacy practices.
OCIE’s findings suggest that financial services
firms are taking substantially similar steps to
protect their information technology systems and
data. Overwhelmingly, firms were undertaking
risk assessments, in order to identify cyber-
threats, vulnerabilities, and business risks on a
firm-wide basis. Nearly all firms had written
information security policies and procedures that
incorporated these assessments. Firms are also
more attentive than in the past to their
information technology systems, including
maintaining up-to-date records of their
hardware, operating systems, and applications;
understanding how data flows through their
network; and understanding their network
topology, including every network access point.
Firms that are not yet undertaking these tasks
should consider commencing these steps in the
near term.
With respect to other cybersecurity
measures, OCIE identified uneven adoption of
certain practices in connection with
cybersecurity governance, protection of
networks and information, risks associated
with vendors and third parties, and risks
associated with remote access to client
information and fund transfer requests.
Cybersecurity Governance
OCIE found that the firms’ written policies
and procedures did not uniformly address
breach incident response plans. In particular,
OCIE identified a failure to incorporate
corrective controls, which are designed to
mitigate, if not halt, an ongoing breach, and
recovery controls, which outline the steps
necessary to return to normal operations.
Firms should have detailed plans for
addressing the administrative and technical
challenges of handling a suspected or actual
breach incident, as well as plans covering the
recovery and restoration of critical systems and
data. Moreover, firms should routinely test
these plans prior to an actual breach incident.
WOLLMUTHMAHER&DEUTSCHLLP
500FIFTHAVENUE,12THFLOOR,NEWYORK,NEWYORK10110(212)382-3300
2 | P a g e
Protection of Networks and Information
Compliance testing is a critical aspect of every
information security regime, because it ensures that
the policies and procedures a firm has adopted to
protect its information technology environment and
data have been implemented and followed correctly.
Although OCIE found a substantial majority of
entities are conducting audits to determine adherence
to their information security policies and procedures,
a significant number of entities acknowledged
suffering financial losses as a result of the transfer of
client funds in response to fraudulent e-mail. In each
of these cases, the root cause of these losses was
attributed, by the firms involved, to the failure of
employees to follow the firm’s identity authentication
procedures. This strongly suggests that firms need to
focus more attention on compliance issues, such as
establishing a regime for documenting adherence to
policies and procedures, and auditing for compliance.
Risks Associated with Vendors and Third
Parties
Several prominent breaches have underscored the
threat to firms’ information technology systems and
data posed by vendors and third parties who are
provided administrative or user credentials. A vendor
whose own information technology systems are
compromised can become a gateway into a firm’s
information technology systems. Unsurprisingly,
OCIE found that oversight of vendors and third
parties is a weak point in firms’ cybersecurity efforts.
Firms should consider cybersecurity when
drafting contracts with vendors and third parties that
are granted access to the firms’ information
technology systems or provided access to the firms’
data, and where appropriate, incorporating terms
that encourage cybersecurity and assign liability for
cyber-incursions. For instance, firms should ensure
that these parties are identifying cyber-threats to
their information technology environment, instituting
strong administrative controls, and detecting
technological and physical vulnerabilities to their
networks and systems.
Once a relationship with a vendor or third party
is established, firms must continue to mitigate the
cybersecurity risks of these relationships throughout
the relationship lifecycle. For instance, firms should
address security training for vendors and third
parties that are granted access to the firms’
information technology systems or data. Firms
should also engage in the oversight necessary to
ensure that vendors and third parties are upholding
cybersecurity-related provisions in agreements.
Risks Associated with Remote Access to Client
Information and Fund Transfer Requests
OCIE data indicate that only a small fraction of
firms allocate responsibility for client losses resulting
from cyber-incidents. Companies should consider the
monetary ramifications of cyber-threats to clients,
such as fraudulent e-mails seeking to transfer client
funds, and devise polices that specifically address this
issue.
Although not done uniformly, an emerging
practice among firms is to provide clients with
guidelines for minimizing the cybersecurity risks
associated with conducting on-line transactions with
the firm. Firms should consider providing such
information at the time a client’s on-line access is
established, as well as on the firms’ websites. Firms
should also consider periodically raising client
awareness of good cyber-hygiene practices through e-
mail or traditional mail reminders.
Conclusion
Although there is no one-size-fits-all approach to
cybersecurity, to the extent that certain cybersecurity
practices have been widely adopted, firms should look
to tailor these practices to their business model and
circumstances. All firms should also consider the gaps
which exist between their administrative, technical,
or physical controls and common practices as
identified in the OCIE report, and determine how to
address any gaps in their current cybersecurity
regime.
3 | P a g e
For further information, please contact:
Jason E. Glass
(212) 382-3300
jglass@wmd-law.com
Frederick R. Kessler
(212) 382-3300
fkessler@wmd-law.com
Steven F. Fitzgerald
(212) 382-3300
sfitzgerald@wmd-law.com
William F. Dahill
(212) 382-3300
wdahill@wmd-law.com
Ryan A. Kane
(212) 382-3300
rkane@wmd-law.com
David H. Wollmuth
(212) 382-3300
dwollmuth@wmd-law.com
This memorandum is for general informational purposes and should not be regarded as legal advice. Furthermore,
the information contained in this memorandum does not represent, and should not be regarded as, the view of any
particular client of Wollmuth Maher & Deutsch LLP. Please contact your relationship partner if we can be of
assistance regarding these important developments. The names and office locations of all of our partners, as well
as additional memoranda, can be obtained from our website, www.wmd-law.com. The contents of this publication
are for informational purposes only. Neither this publication nor the lawyers who authored it are rendering legal
or other professional advice or opinions on specific facts or matters, nor does the distribution of this publication to
any person constitute the establishment of an attorney-client relationship. Wollmuth Maher & Deutsch LLP
assumes no liability in connection with the use of this publication.
1
See OCIE, “Cybersecurity Examination Sweep Summary” (February 3, 2015), available at:
http://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf.
2
See Examination Priorities for 2014, available at: http://www.sec.gov/about/offices/ocie/national-examination-program-
priorities-2014.pdf, in which the OCIE’s National Examination Program (“NEP”) announced it would “examine governance
and supervision of information technology systems, operational capability, market access, information security, and
preparedness to respond to sudden malfunctions and system outages.”
3
See OCIE, “OCIE Cybersecurity Initiative” (April 15, 2014), available at:
http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf.

Más contenido relacionado

Was ist angesagt?

Avoid the Audit Trap
Avoid the Audit TrapAvoid the Audit Trap
Avoid the Audit TrapIdeba
 
Presentation: Compliance & Third Party Due Diligence
Presentation: Compliance & Third Party Due DiligencePresentation: Compliance & Third Party Due Diligence
Presentation: Compliance & Third Party Due DiligenceethiXbase
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarDon Grauel
 
Dynamic systems e ticket system for law enforcement
Dynamic systems e ticket system for law enforcementDynamic systems e ticket system for law enforcement
Dynamic systems e ticket system for law enforcementDynamic Systems
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliancePeter Goldbrunner
 
How to Get Proactive about your Vendor Master Data: 4 tips for success
How to Get Proactive about your Vendor Master Data: 4 tips for successHow to Get Proactive about your Vendor Master Data: 4 tips for success
How to Get Proactive about your Vendor Master Data: 4 tips for successSarah Fane
 
Data Security: A field guide for franchisors
Data Security: A field guide for franchisorsData Security: A field guide for franchisors
Data Security: A field guide for franchisorsGrant Thornton LLP
 
Mitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker DealersMitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker DealersBroadridge
 
Solving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesSolving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesEchoworx
 
Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?EMC
 
Compliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCompliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCorporater
 
Creating Your Red Flags Rule Playbook
Creating Your Red Flags Rule PlaybookCreating Your Red Flags Rule Playbook
Creating Your Red Flags Rule PlaybookLumension
 
Trends 121415 Citizens Bank
Trends 121415 Citizens BankTrends 121415 Citizens Bank
Trends 121415 Citizens BankMichael Ouellet
 
2015 WACHA Hot Regulatory Exam Issues 03202015
2015 WACHA Hot Regulatory Exam Issues 032020152015 WACHA Hot Regulatory Exam Issues 03202015
2015 WACHA Hot Regulatory Exam Issues 03202015Brent Siegel
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report- Mark - Fullbright
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance reportBee_Ware
 

Was ist angesagt? (20)

Avoid the Audit Trap
Avoid the Audit TrapAvoid the Audit Trap
Avoid the Audit Trap
 
Presentation: Compliance & Third Party Due Diligence
Presentation: Compliance & Third Party Due DiligencePresentation: Compliance & Third Party Due Diligence
Presentation: Compliance & Third Party Due Diligence
 
Accounting
AccountingAccounting
Accounting
 
George Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler SeminarGeorge Gavras 2010 Fowler Seminar
George Gavras 2010 Fowler Seminar
 
Dynamic systems e ticket system for law enforcement
Dynamic systems e ticket system for law enforcementDynamic systems e ticket system for law enforcement
Dynamic systems e ticket system for law enforcement
 
Your Third-Party Vendor's Risk Is Your Risk, Too
Your Third-Party Vendor's Risk Is Your Risk, Too Your Third-Party Vendor's Risk Is Your Risk, Too
Your Third-Party Vendor's Risk Is Your Risk, Too
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliance
 
How to Get Proactive about your Vendor Master Data: 4 tips for success
How to Get Proactive about your Vendor Master Data: 4 tips for successHow to Get Proactive about your Vendor Master Data: 4 tips for success
How to Get Proactive about your Vendor Master Data: 4 tips for success
 
Data Security: A field guide for franchisors
Data Security: A field guide for franchisorsData Security: A field guide for franchisors
Data Security: A field guide for franchisors
 
Mitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker DealersMitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker Dealers
 
Solving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial ServicesSolving the Encryption Conundrum in Financial Services
Solving the Encryption Conundrum in Financial Services
 
Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?
 
Ais Romney 2006 Slides 08 Is Control2
Ais Romney 2006 Slides 08 Is Control2Ais Romney 2006 Slides 08 Is Control2
Ais Romney 2006 Slides 08 Is Control2
 
Compliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCompliance Management | Compliance Solutions
Compliance Management | Compliance Solutions
 
Creating Your Red Flags Rule Playbook
Creating Your Red Flags Rule PlaybookCreating Your Red Flags Rule Playbook
Creating Your Red Flags Rule Playbook
 
Trends 121415 Citizens Bank
Trends 121415 Citizens BankTrends 121415 Citizens Bank
Trends 121415 Citizens Bank
 
DKapellmann_Security Compliance Models
DKapellmann_Security Compliance ModelsDKapellmann_Security Compliance Models
DKapellmann_Security Compliance Models
 
2015 WACHA Hot Regulatory Exam Issues 03202015
2015 WACHA Hot Regulatory Exam Issues 032020152015 WACHA Hot Regulatory Exam Issues 03202015
2015 WACHA Hot Regulatory Exam Issues 03202015
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance report
 

Andere mochten auch

Union budget 2015-16: Deciphering the key Direct and Indirect Tax Proposals
Union budget 2015-16: Deciphering the key Direct and Indirect Tax ProposalsUnion budget 2015-16: Deciphering the key Direct and Indirect Tax Proposals
Union budget 2015-16: Deciphering the key Direct and Indirect Tax ProposalsCA VISHAL TAYAL
 
Sysdat International | presentazione istituzionale
Sysdat International | presentazione istituzionaleSysdat International | presentazione istituzionale
Sysdat International | presentazione istituzionaleSysdat International SA
 
Phòng ngừa xơ cứng động mạch bằng thực phẩm
Phòng ngừa xơ cứng động mạch bằng thực phẩmPhòng ngừa xơ cứng động mạch bằng thực phẩm
Phòng ngừa xơ cứng động mạch bằng thực phẩmteodoro236
 
Viên Lic Giảm Cân Tăng Cân
Viên Lic Giảm Cân Tăng CânViên Lic Giảm Cân Tăng Cân
Viên Lic Giảm Cân Tăng Câneddie520
 
TURISMO
TURISMOTURISMO
TURISMODaniaW
 
vivek_resume_2016
vivek_resume_2016vivek_resume_2016
vivek_resume_2016Vivek Kumar
 
Hortet
HortetHortet
Hortetticgem
 
Ошибки и особенности подготовки расчета 6-НДФЛ в конфигурации 1С:Зарплата и у...
Ошибки и особенности подготовки расчета 6-НДФЛ в конфигурации 1С:Зарплата и у...Ошибки и особенности подготовки расчета 6-НДФЛ в конфигурации 1С:Зарплата и у...
Ошибки и особенности подготовки расчета 6-НДФЛ в конфигурации 1С:Зарплата и у...Елена Коптева
 
Nguyên nhân nào gây đau thắt lưng
Nguyên nhân nào gây đau thắt lưngNguyên nhân nào gây đau thắt lưng
Nguyên nhân nào gây đau thắt lưngrodney552
 
Thoái hóa sụn khớp - nguyên nhân ít ngờ đến
Thoái hóa sụn khớp - nguyên nhân ít ngờ đếnThoái hóa sụn khớp - nguyên nhân ít ngờ đến
Thoái hóa sụn khớp - nguyên nhân ít ngờ đếnilda716
 
WTP-2015-Obesity
WTP-2015-ObesityWTP-2015-Obesity
WTP-2015-ObesityReza Alavi
 
Carnestoltes
CarnestoltesCarnestoltes
Carnestoltesticgem
 

Andere mochten auch (19)

Smart_Home_Report_2015
Smart_Home_Report_2015Smart_Home_Report_2015
Smart_Home_Report_2015
 
Simple machines
Simple machinesSimple machines
Simple machines
 
Union budget 2015-16: Deciphering the key Direct and Indirect Tax Proposals
Union budget 2015-16: Deciphering the key Direct and Indirect Tax ProposalsUnion budget 2015-16: Deciphering the key Direct and Indirect Tax Proposals
Union budget 2015-16: Deciphering the key Direct and Indirect Tax Proposals
 
Sysdat International | presentazione istituzionale
Sysdat International | presentazione istituzionaleSysdat International | presentazione istituzionale
Sysdat International | presentazione istituzionale
 
Phòng ngừa xơ cứng động mạch bằng thực phẩm
Phòng ngừa xơ cứng động mạch bằng thực phẩmPhòng ngừa xơ cứng động mạch bằng thực phẩm
Phòng ngừa xơ cứng động mạch bằng thực phẩm
 
g
gg
g
 
SOPA DE LETRAS DEL NXT
SOPA DE LETRAS DEL NXT SOPA DE LETRAS DEL NXT
SOPA DE LETRAS DEL NXT
 
Viên Lic Giảm Cân Tăng Cân
Viên Lic Giảm Cân Tăng CânViên Lic Giảm Cân Tăng Cân
Viên Lic Giảm Cân Tăng Cân
 
TURISMO
TURISMOTURISMO
TURISMO
 
vivek_resume_2016
vivek_resume_2016vivek_resume_2016
vivek_resume_2016
 
Hortet
HortetHortet
Hortet
 
Ошибки и особенности подготовки расчета 6-НДФЛ в конфигурации 1С:Зарплата и у...
Ошибки и особенности подготовки расчета 6-НДФЛ в конфигурации 1С:Зарплата и у...Ошибки и особенности подготовки расчета 6-НДФЛ в конфигурации 1С:Зарплата и у...
Ошибки и особенности подготовки расчета 6-НДФЛ в конфигурации 1С:Зарплата и у...
 
Nguyên nhân nào gây đau thắt lưng
Nguyên nhân nào gây đau thắt lưngNguyên nhân nào gây đau thắt lưng
Nguyên nhân nào gây đau thắt lưng
 
Complete java
Complete javaComplete java
Complete java
 
Thoái hóa sụn khớp - nguyên nhân ít ngờ đến
Thoái hóa sụn khớp - nguyên nhân ít ngờ đếnThoái hóa sụn khớp - nguyên nhân ít ngờ đến
Thoái hóa sụn khớp - nguyên nhân ít ngờ đến
 
Final ppp
Final pppFinal ppp
Final ppp
 
WTP-2015-Obesity
WTP-2015-ObesityWTP-2015-Obesity
WTP-2015-Obesity
 
Turismo
TurismoTurismo
Turismo
 
Carnestoltes
CarnestoltesCarnestoltes
Carnestoltes
 

Ähnlich wie Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examination Sweep

New York State Department of Financial Services Expands Its Cyber Focus to In...
New York State Department of Financial Services Expands Its Cyber Focus to In...New York State Department of Financial Services Expands Its Cyber Focus to In...
New York State Department of Financial Services Expands Its Cyber Focus to In...NationalUnderwriter
 
Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)Melih ÖZCANLI
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityPaul Ferrillo
 
FTC overview on glba final rule on safeguards 2010 Compliance Presentation
FTC overview on glba final rule on safeguards 2010 Compliance PresentationFTC overview on glba final rule on safeguards 2010 Compliance Presentation
FTC overview on glba final rule on safeguards 2010 Compliance PresentationBrent Hillyer
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk Managementbanerjeerohit
 
Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals  Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Richard Brzakala
 
Cybersecurity crisis management a prep guide
Cybersecurity crisis management   a prep guideCybersecurity crisis management   a prep guide
Cybersecurity crisis management a prep guideJoAnna Cheshire
 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdfroguelogics
 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdfroguelogics
 
Regulatory Standards Of The Federal Information Systems...
Regulatory Standards Of The Federal Information Systems...Regulatory Standards Of The Federal Information Systems...
Regulatory Standards Of The Federal Information Systems...Anne Marie
 
For digital media companies, effective cybersecurity programs a must
For digital media companies, effective cybersecurity programs a mustFor digital media companies, effective cybersecurity programs a must
For digital media companies, effective cybersecurity programs a mustGrant Thornton LLP
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software developmentMuhammadArif823
 
Importance of Regulatory Compliance as a Part of Today’s Business
Importance of Regulatory Compliance as a Part of Today’s BusinessImportance of Regulatory Compliance as a Part of Today’s Business
Importance of Regulatory Compliance as a Part of Today’s Business360factors
 
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfThe Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfProtected Harbor
 
Legal challenges of big data
Legal challenges of big dataLegal challenges of big data
Legal challenges of big dataRoger Royse
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee StudyHiten Sethi
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemIlonaThornburg83
 

Ähnlich wie Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examination Sweep (20)

New York State Department of Financial Services Expands Its Cyber Focus to In...
New York State Department of Financial Services Expands Its Cyber Focus to In...New York State Department of Financial Services Expands Its Cyber Focus to In...
New York State Department of Financial Services Expands Its Cyber Focus to In...
 
Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurity
 
Data Protection: Process Information
Data Protection: Process InformationData Protection: Process Information
Data Protection: Process Information
 
FTC overview on glba final rule on safeguards 2010 Compliance Presentation
FTC overview on glba final rule on safeguards 2010 Compliance PresentationFTC overview on glba final rule on safeguards 2010 Compliance Presentation
FTC overview on glba final rule on safeguards 2010 Compliance Presentation
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk Management
 
Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals  Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals
 
Cybersecurity crisis management a prep guide
Cybersecurity crisis management   a prep guideCybersecurity crisis management   a prep guide
Cybersecurity crisis management a prep guide
 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdf
 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdf
 
Regulatory Standards Of The Federal Information Systems...
Regulatory Standards Of The Federal Information Systems...Regulatory Standards Of The Federal Information Systems...
Regulatory Standards Of The Federal Information Systems...
 
IDC concur analyst piece
IDC concur analyst pieceIDC concur analyst piece
IDC concur analyst piece
 
For digital media companies, effective cybersecurity programs a must
For digital media companies, effective cybersecurity programs a mustFor digital media companies, effective cybersecurity programs a must
For digital media companies, effective cybersecurity programs a must
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software development
 
Importance of Regulatory Compliance as a Part of Today’s Business
Importance of Regulatory Compliance as a Part of Today’s BusinessImportance of Regulatory Compliance as a Part of Today’s Business
Importance of Regulatory Compliance as a Part of Today’s Business
 
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdfThe Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
 
Legal challenges of big data
Legal challenges of big dataLegal challenges of big data
Legal challenges of big data
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancem
 

Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examination Sweep

  • 1. 1 | P a g e Information Security and Data Privacy Bulletin March 2, 2015 TAKEAWAYS FROM THE SEC CYBERSECURITY EXAMINATION SWEEP On February 3, 2015, the US Securities and Exchange Commission’s (the “SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert detailing its observations from cybersecurity examinations of 57 registered broker-dealers and 49 registered investment advisers.1 These examinations were undertaken in connection with OCIE’s examination priorities for 2014, which called for better understanding the state of cybersecurity preparedness at financial services organizations and public companies.2 In an April 15 Risk Alert announcing these examinations, OCIE provided an exhibit with sample questions on topics including cybersecurity governance, protection of networks and information, identifying and addressing risks associated with remote access to client information and funds transfer requests, identifying and addressing risks associated with vendors and third parties, and the detection of unauthorized activity.3 In addition to identifying the focus of OCIE’s examinations, these questions highlighted key cybersecurity issues for financial services industry participants (as well as other companies) to consider in evaluating the adequacy of their own information security and data privacy practices. OCIE’s findings suggest that financial services firms are taking substantially similar steps to protect their information technology systems and data. Overwhelmingly, firms were undertaking risk assessments, in order to identify cyber- threats, vulnerabilities, and business risks on a firm-wide basis. Nearly all firms had written information security policies and procedures that incorporated these assessments. Firms are also more attentive than in the past to their information technology systems, including maintaining up-to-date records of their hardware, operating systems, and applications; understanding how data flows through their network; and understanding their network topology, including every network access point. Firms that are not yet undertaking these tasks should consider commencing these steps in the near term. With respect to other cybersecurity measures, OCIE identified uneven adoption of certain practices in connection with cybersecurity governance, protection of networks and information, risks associated with vendors and third parties, and risks associated with remote access to client information and fund transfer requests. Cybersecurity Governance OCIE found that the firms’ written policies and procedures did not uniformly address breach incident response plans. In particular, OCIE identified a failure to incorporate corrective controls, which are designed to mitigate, if not halt, an ongoing breach, and recovery controls, which outline the steps necessary to return to normal operations. Firms should have detailed plans for addressing the administrative and technical challenges of handling a suspected or actual breach incident, as well as plans covering the recovery and restoration of critical systems and data. Moreover, firms should routinely test these plans prior to an actual breach incident. WOLLMUTHMAHER&DEUTSCHLLP 500FIFTHAVENUE,12THFLOOR,NEWYORK,NEWYORK10110(212)382-3300
  • 2. 2 | P a g e Protection of Networks and Information Compliance testing is a critical aspect of every information security regime, because it ensures that the policies and procedures a firm has adopted to protect its information technology environment and data have been implemented and followed correctly. Although OCIE found a substantial majority of entities are conducting audits to determine adherence to their information security policies and procedures, a significant number of entities acknowledged suffering financial losses as a result of the transfer of client funds in response to fraudulent e-mail. In each of these cases, the root cause of these losses was attributed, by the firms involved, to the failure of employees to follow the firm’s identity authentication procedures. This strongly suggests that firms need to focus more attention on compliance issues, such as establishing a regime for documenting adherence to policies and procedures, and auditing for compliance. Risks Associated with Vendors and Third Parties Several prominent breaches have underscored the threat to firms’ information technology systems and data posed by vendors and third parties who are provided administrative or user credentials. A vendor whose own information technology systems are compromised can become a gateway into a firm’s information technology systems. Unsurprisingly, OCIE found that oversight of vendors and third parties is a weak point in firms’ cybersecurity efforts. Firms should consider cybersecurity when drafting contracts with vendors and third parties that are granted access to the firms’ information technology systems or provided access to the firms’ data, and where appropriate, incorporating terms that encourage cybersecurity and assign liability for cyber-incursions. For instance, firms should ensure that these parties are identifying cyber-threats to their information technology environment, instituting strong administrative controls, and detecting technological and physical vulnerabilities to their networks and systems. Once a relationship with a vendor or third party is established, firms must continue to mitigate the cybersecurity risks of these relationships throughout the relationship lifecycle. For instance, firms should address security training for vendors and third parties that are granted access to the firms’ information technology systems or data. Firms should also engage in the oversight necessary to ensure that vendors and third parties are upholding cybersecurity-related provisions in agreements. Risks Associated with Remote Access to Client Information and Fund Transfer Requests OCIE data indicate that only a small fraction of firms allocate responsibility for client losses resulting from cyber-incidents. Companies should consider the monetary ramifications of cyber-threats to clients, such as fraudulent e-mails seeking to transfer client funds, and devise polices that specifically address this issue. Although not done uniformly, an emerging practice among firms is to provide clients with guidelines for minimizing the cybersecurity risks associated with conducting on-line transactions with the firm. Firms should consider providing such information at the time a client’s on-line access is established, as well as on the firms’ websites. Firms should also consider periodically raising client awareness of good cyber-hygiene practices through e- mail or traditional mail reminders. Conclusion Although there is no one-size-fits-all approach to cybersecurity, to the extent that certain cybersecurity practices have been widely adopted, firms should look to tailor these practices to their business model and circumstances. All firms should also consider the gaps which exist between their administrative, technical, or physical controls and common practices as identified in the OCIE report, and determine how to address any gaps in their current cybersecurity regime.
  • 3. 3 | P a g e For further information, please contact: Jason E. Glass (212) 382-3300 jglass@wmd-law.com Frederick R. Kessler (212) 382-3300 fkessler@wmd-law.com Steven F. Fitzgerald (212) 382-3300 sfitzgerald@wmd-law.com William F. Dahill (212) 382-3300 wdahill@wmd-law.com Ryan A. Kane (212) 382-3300 rkane@wmd-law.com David H. Wollmuth (212) 382-3300 dwollmuth@wmd-law.com This memorandum is for general informational purposes and should not be regarded as legal advice. Furthermore, the information contained in this memorandum does not represent, and should not be regarded as, the view of any particular client of Wollmuth Maher & Deutsch LLP. Please contact your relationship partner if we can be of assistance regarding these important developments. The names and office locations of all of our partners, as well as additional memoranda, can be obtained from our website, www.wmd-law.com. The contents of this publication are for informational purposes only. Neither this publication nor the lawyers who authored it are rendering legal or other professional advice or opinions on specific facts or matters, nor does the distribution of this publication to any person constitute the establishment of an attorney-client relationship. Wollmuth Maher & Deutsch LLP assumes no liability in connection with the use of this publication. 1 See OCIE, “Cybersecurity Examination Sweep Summary” (February 3, 2015), available at: http://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf. 2 See Examination Priorities for 2014, available at: http://www.sec.gov/about/offices/ocie/national-examination-program- priorities-2014.pdf, in which the OCIE’s National Examination Program (“NEP”) announced it would “examine governance and supervision of information technology systems, operational capability, market access, information security, and preparedness to respond to sudden malfunctions and system outages.” 3 See OCIE, “OCIE Cybersecurity Initiative” (April 15, 2014), available at: http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf.