Caveat Vendor
6 Things Financial Institutions Are Doing In Response to New Regulator Cyber Audit Guidance – Other Industries Take Note!
November 10, 2015
James Koenig
SEC’s OCIE Issues Cyber Alert and Six Priority Areas. On September 15, 2015, the Office of Compliance Inspections and Examinations (“OCIE”) of The U.S. Securities and Exchange Commission (“SEC”) issued an Alert (the “Alert”) to provide guidance concerning the series of cybersecurity examinations it began conducting in late 2014 and early 2015. In the Alert, the OCIE stated that audits will involve more testing to assess implementation of procedures and controls around cybersecurity in six priority areas:
— Governance and Risk Assessment
— Incident Response
— Access Rights and Controls
— Data Loss Prevention
— Vendor Management
— Training
46 Cyber-Related Documents Expected - What Should Financial Institutions Take Away and Why Should Other Industries Care. In the Appendix to the Alert, the OCIE listed 46 types of documents in these priority areas that it is likely to request during an audit. While the Alert and guidance applies to broker-dealers and investment advisors, other regulators and examiners will also view this as influential and a set of baseline practices for financial institutions and their service providers. Moreover, it is not uncommon for regulators from other industries to borrow from or use financial institution standards as a starting place when designing standards for other industries. Moreover, while boards of directors have been using the National Institute of Standards and Technology (“NIST”) Framework for Improving Critical Infrastructure Cybersecurity since its inception February 12, 2014, as a starting point to ask questions and review cyber safeguards in place, importantly, the SEC’s Alert provides an additional or alternative lens through which to gauge the maturity of a company’s cybersecurity program and cyber-incident prevention, detection and response preparedness.
SEC Begins Cyber Enforcements. The SEC has indicated that it will sanction firms for deficient written policies and procedures, even in cases where firms are victims of cyber-attacks and have responded promptly and effectively to the incident. In fact, one week after the Alert was issued, the SEC’s Division of Enforcement brought its first cyber enforcement action against investment adviser R.T. Jones Capital Equities Management for violations surrounding a hacking incident that exposed customers to potential identity theft risk. Matter of R.T. Jones Capital Equities Management, Inc., Admin. Proc. File No. 3-16827, SEC Investment Advisers Act Release No. 4204 (Sept. 22, 2015). Although the case settled without an admission of the SEC’s findings, the case marks a commitment by the SEC to enhance focus on cybersecurity and the need for financial institutions to adopt written policies and procedures reasonably designed to protect customer records and information under the Safeguards Rule (Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)), including those designed to detect, prevent, and respond to instances of cybersecurity attacks and breaches.
Six Things Others Are Doing (to Prepare in OCIE Six Priority Areas). In response to the OCIE Alert, many financial institutions have started taking one or more of the following six steps to enhance global cyber or incident response programs and prepare for the expanded OCIE audits:
Establishing a Cyber Governance Committee/Draft Cyber Governance Charter. Establishing a Cyber Governance Committee if there is not one (or a body that explicitly oversees such (some incident response committees are designed to cover). Drafting or updating a cybersecurity governance charter specifying the responsibilities, coordination and choreography among stakeholders before, during and after an incident, investigation, remediation or government inquiry or enforcement action.
Build-Out Cyber Program and Incident Response Documentation. Building, modifying and collecting global cyber program policies, procedures, training, incident response/breach notification plans and other of the OCIE-enumerated 46 documents. Often, such documents exist in multiple places within an organization and need to be integrated and harmonized across countries or among business units and functions. Cyber Program can be treated separate from or an expansion of the traditional program – there are many overlapping stakeholders and safeguards, but cyber is a newer, increasingly sophisticated threat that many organizations are applying new expertise and new approaches.
Assess Security Program, Access Controls and Gaps/Coordination with Cyber Needs. Reviewing scope, frequency and evidence of attack and penetration testing, advance persistent threat scans and malware forensics, and assessing patch management, use of data loss prevention tools, access controls, procedures for granting system rights, renewal and termination procedures and multi-factor authentication strategy. Also, many companies are leveraging external experts and reports to benchmark Security Program staffing, organization structure and funding against industry norms or other best practices.
Design Procedures for Threat Intelligence and Information Sharing. Develop procedures to evaluate threat-intelligence suppliers and to process and document responses to threat intelligence information, while also creating guidelines on when and how to share attack information with government entities or others within the industry without running afoul of antitrust or other constraints and without destroying legal privilege.
Enhance Vendor Safeguards. Making more rigorous the vendor cybersecurity (and privacy/data protection) pre-contract assessment process, contractual safeguards and post-contract audit procedures.
Cyber Training and Launch Cyber Simulation Wargames. Supplementing existing security, privacy and/or data handling training to address cyber awareness, reporting/escalation and response. Also, it has become industry common practice to run a series of simulated cyber-attacks to test incident response and breach notification procedures and coordination among business, IT, legal/privacy, PR, external counsel, external forensics firms and other stakeholders.
Pulling It All Together – Via Wargames, Assessment and/or Mock Audits. Financial institutions and other companies with mature programs increasingly are testing and practicing the operation of their programs in one or more of the following ways:
— Conducting Cyber Simulation Wargames. As described in #6 above, many organizations increasingly are conducting quarterly or biannual wargames with varying scenarios from Chinese hackers, IP and/or privacy/personal information theft, knowledgeable insider and other threats.
— Conduct Readiness Assessment. Conduct assessments of the key program documentation and other artifacts to determine the financial institution’s compliance with the OCIE framework and other applicable standards (e.g., NIST, CBEST, FFIEC).
— Mock Regulatory Audit. Often, assessments can take the form of (or be supplemented with) a mock regulatory audit to test both documentation and staff preparedness. Audits take the form of preparing responses to mock audit document request lists based on prior exams and role-playing interviews where outside counsel plays the part of the regulator in the interview.
To learn more about the actions others are taking in response to the OCIE Alert, the OCIE required documentation and lessons learned from recent audits, please contact Jim Koenig, Behn Dayanim, Ashley Winton or any member of our Global Privacy and Cybersecurity practice.
Caveat Vendor is Paul Hastings’ Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.
Subscribe to Caveat Vendor__. You will receive an email when the blog has been updated.