CybersecuritySEC to examine robustness of Wall Street’s cyber defenses

Published 25 April 2014

The Security and Exchange Commission (SEC) announced plans last week to inspect the cyber defenses of fifty Wall Street investment advisers, brokers, and dealers to determine whether the financial sector is prepared for pinpointed cyberattacks. This is the first time the cybersecurity has made the list of the SEC’s annual investigations.

The Security and Exchange Commission (SEC) announced plans last week to inspect the cyber defenses of fifty Wall Street investment advisers, brokers, and dealers to determine whether the financial sector is prepared for pinpointed cyberattacks.

Computerworld reports that the commission “will review each company’s tools and policies regarding governance, risk identification and assessment, network and data security controls, remote access and third party cyber risks.”

SEC commissioner Luis Aguilar urged the collection of information via the Office of Compliance Inspections and Examinations (OCIE) in order to ascertain not just how they could help Wall Street through reinforced security, but to make sure that the necessary industry controls are in place.

The alert noted that the “cyber security initiative is designed to assess cyber security preparedness in the securities industry and to obtain information about the industry’s recent experiences with certain types of cyber threats.”

The posted alert last week also featured samples of the questions to be asked of firms, and a notice that firms could “expect to be asked about the completeness of their written security polices, their business continuity plans, training programs, the frequency of their risk assessments and the group responsible for carrying out the assessments.”

John Stark, a managing director at Stroz Friedberg, an intelligence and risk management firm, told Computerworld regarding OCIE, “I don’t think they have been this focused, this broad, this creative, or this exhaustive,” referring to the advance material provided to the firms as “a very well written questionnaire.”

The magazine also summarizes Stark’s admittance that “tipping regulated entities about the content of the exam likely gives financial firms a chance to get plug holes in the security posture before SEC regulators begin the testing,” and that, “companies that get low marks will likely get deficiency letters from the SEC.”

This is the first time the cybersecurity has made the list of the SEC’s annual investigations.