Privacy & Information Security Law Blog

On February 3, 2015, the Securities and Exchange Commission (“SEC”) released a Risk Alert, entitled Cybersecurity Examination Sweep Summary, summarizing observations from the recent round of cybersecurity examinations of registered broker-dealers and investment advisers under the Cybersecurity Examination Initiative. Conducted by the SEC Office of Compliance Inspections and Examinations (“OCIE”) from 2013 through April 2014, the examinations inspected the cybersecurity practices of 57 registered broker-dealers and 49 registered investment advisers through interviews and document reviews. The examinations evaluated the institutions’ practices in key areas such as risk management, cybersecurity governance, network security, information protection, vendor management and incident detection.

The OCIE’s key findings included:

• A majority of the broker-dealers (88%) and the advisers (74%) reported that they have experienced a cyber-related incident.
• A majority of examined firms broker-dealers (93%) and advisers (79%) reported that they conduct cybersecurity risk assessments on periodic basis.
• Almost half of the broker-dealers (47%) reportedly participate in information sharing organizations such as the Financial Services Information Sharing and Analysis Center.
• Almost all the examined broker-dealers (98%) and advisers (91%) make use of encryption in some form.
• Most of the broker-dealers (72%) include cybersecurity requirements in their vendor and business partner contracts, while few of the advisers (24%) incorporate such requirements.
• Over half of the broker-dealers (58%) maintain insurance for cybersecurity incidents, while only a small number of the advisers (21%) maintain such insurance.