1 | P a g e
Information Security and Data Privacy Bulletin
March 2, 2015
TAKEAWAYS FROM THE SEC CYBERSECURITY EXAMINATION SWEEP
On February 3, 2015, the US Securities and
Exchange Commission’s (the “SEC”) Office of
Compliance Inspections and Examinations
(“OCIE”) issued a Risk Alert detailing its
observations from cybersecurity examinations of
57 registered broker-dealers and 49 registered
investment advisers.1 These examinations were
undertaken in connection with OCIE’s
examination priorities for 2014, which called for
better understanding the state of cybersecurity
preparedness at financial services organizations
and public companies.2 In an April 15 Risk Alert
announcing these examinations, OCIE provided
an exhibit with sample questions on topics
including cybersecurity governance, protection of
networks and information, identifying and
addressing risks associated with remote access to
client information and funds transfer requests,
identifying and addressing risks associated with
vendors and third parties, and the detection of
unauthorized activity.3 In addition to identifying
the focus of OCIE’s examinations, these
questions highlighted key cybersecurity issues
for financial services industry participants (as
well as other companies) to consider in
evaluating the adequacy of their own information
security and data privacy practices.
OCIE’s findings suggest that financial services
firms are taking substantially similar steps to
protect their information technology systems and
data. Overwhelmingly, firms were undertaking
risk assessments, in order to identify cyber-
threats, vulnerabilities, and business risks on a
firm-wide basis. Nearly all firms had written
information security policies and procedures that
incorporated these assessments. Firms are also
more attentive than in the past to their
information technology systems, including
maintaining up-to-date records of their
hardware, operating systems, and applications;
understanding how data flows through their
network; and understanding their network
topology, including every network access point.
Firms that are not yet undertaking these tasks
should consider commencing these steps in the
near term.
With respect to other cybersecurity
measures, OCIE identified uneven adoption of
certain practices in connection with
cybersecurity governance, protection of
networks and information, risks associated
with vendors and third parties, and risks
associated with remote access to client
information and fund transfer requests.
Cybersecurity Governance
OCIE found that the firms’ written policies
and procedures did not uniformly address
breach incident response plans. In particular,
OCIE identified a failure to incorporate
corrective controls, which are designed to
mitigate, if not halt, an ongoing breach, and
recovery controls, which outline the steps
necessary to return to normal operations.
Firms should have detailed plans for
addressing the administrative and technical
challenges of handling a suspected or actual
breach incident, as well as plans covering the
recovery and restoration of critical systems and
data. Moreover, firms should routinely test
these plans prior to an actual breach incident.
WOLLMUTHMAHER&DEUTSCHLLP
500FIFTHAVENUE,12THFLOOR,NEWYORK,NEWYORK10110(212)382-3300

2 | P a g e
Protection of Networks and Information
Compliance testing is a critical aspect of every
information security regime, because it ensures that
the policies and procedures a firm has adopted to
protect its information technology environment and
data have been implemented and followed correctly.
Although OCIE found a substantial majority of
entities are conducting audits to determine adherence
to their information security policies and procedures,
a significant number of entities acknowledged
suffering financial losses as a result of the transfer of
client funds in response to fraudulent e-mail. In each
of these cases, the root cause of these losses was
attributed, by the firms involved, to the failure of
employees to follow the firm’s identity authentication
procedures. This strongly suggests that firms need to
focus more attention on compliance issues, such as
establishing a regime for documenting adherence to
policies and procedures, and auditing for compliance.
Risks Associated with Vendors and Third
Parties
Several prominent breaches have underscored the
threat to firms’ information technology systems and
data posed by vendors and third parties who are
provided administrative or user credentials. A vendor
whose own information technology systems are
compromised can become a gateway into a firm’s
information technology systems. Unsurprisingly,
OCIE found that oversight of vendors and third
parties is a weak point in firms’ cybersecurity efforts.
Firms should consider cybersecurity when
drafting contracts with vendors and third parties that
are granted access to the firms’ information
technology systems or provided access to the firms’
data, and where appropriate, incorporating terms
that encourage cybersecurity and assign liability for
cyber-incursions. For instance, firms should ensure
that these parties are identifying cyber-threats to
their information technology environment, instituting
strong administrative controls, and detecting
technological and physical vulnerabilities to their
networks and systems.
Once a relationship with a vendor or third party
is established, firms must continue to mitigate the
cybersecurity risks of these relationships throughout
the relationship lifecycle. For instance, firms should
address security training for vendors and third
parties that are granted access to the firms’
information technology systems or data. Firms
should also engage in the oversight necessary to
ensure that vendors and third parties are upholding
cybersecurity-related provisions in agreements.
Risks Associated with Remote Access to Client
Information and Fund Transfer Requests
OCIE data indicate that only a small fraction of
firms allocate responsibility for client losses resulting
from cyber-incidents. Companies should consider the
monetary ramifications of cyber-threats to clients,
such as fraudulent e-mails seeking to transfer client
funds, and devise polices that specifically address this
issue.
Although not done uniformly, an emerging
practice among firms is to provide clients with
guidelines for minimizing the cybersecurity risks
associated with conducting on-line transactions with
the firm. Firms should consider providing such
information at the time a client’s on-line access is
established, as well as on the firms’ websites. Firms
should also consider periodically raising client
awareness of good cyber-hygiene practices through e-
mail or traditional mail reminders.
Conclusion
Although there is no one-size-fits-all approach to
cybersecurity, to the extent that certain cybersecurity
practices have been widely adopted, firms should look
to tailor these practices to their business model and
circumstances. All firms should also consider the gaps
which exist between their administrative, technical,
or physical controls and common practices as
identified in the OCIE report, and determine how to
address any gaps in their current cybersecurity
regime.

3 | P a g e
For further information, please contact:
Jason E. Glass
(212) 382-3300
jglass@wmd-law.com
Frederick R. Kessler
(212) 382-3300
fkessler@wmd-law.com
Steven F. Fitzgerald
(212) 382-3300
sfitzgerald@wmd-law.com
William F. Dahill
(212) 382-3300
wdahill@wmd-law.com
Ryan A. Kane
(212) 382-3300
rkane@wmd-law.com
David H. Wollmuth
(212) 382-3300
dwollmuth@wmd-law.com
This memorandum is for general informational purposes and should not be regarded as legal advice. Furthermore,
the information contained in this memorandum does not represent, and should not be regarded as, the view of any
particular client of Wollmuth Maher & Deutsch LLP. Please contact your relationship partner if we can be of
assistance regarding these important developments. The names and office locations of all of our partners, as well
as additional memoranda, can be obtained from our website, www.wmd-law.com. The contents of this publication
are for informational purposes only. Neither this publication nor the lawyers who authored it are rendering legal
or other professional advice or opinions on specific facts or matters, nor does the distribution of this publication to
any person constitute the establishment of an attorney-client relationship. Wollmuth Maher & Deutsch LLP
assumes no liability in connection with the use of this publication.
1
See OCIE, “Cybersecurity Examination Sweep Summary” (February 3, 2015), available at:
http://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf.
2
See Examination Priorities for 2014, available at: http://www.sec.gov/about/offices/ocie/national-examination-program-
priorities-2014.pdf, in which the OCIE’s National Examination Program (“NEP”) announced it would “examine governance
and supervision of information technology systems, operational capability, market access, information security, and
preparedness to respond to sudden malfunctions and system outages.”
3
See OCIE, “OCIE Cybersecurity Initiative” (April 15, 2014), available at:
http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf.