The Securities and Exchange Commission plans to study the information security policies, procedures, and levels of preparedness of businesses in the financial services sector.
In an announcement issued earlier this month, the SEC's Office of Compliance Inspections and Examinations (OCIE) said it would be "conducting examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on areas related to cybersecurity" -- government-speak for anything involving information, computers, and security.
The agency's stated rationale for conducting the examinations is to "help identify areas where the Commission and the industry can work together to protect investors and our capital markets from cybersecurity threats." Interestingly, the agency added that "this guidance is not a rule, regulation, or statement of the commission," suggesting that the information would be amassed -- at least initially – only for information-gathering purposes.
What form will those examinations take? While no final version of the exam has been released, the OCIE included in its announcement a 28-question sample cyber security document that poses questions around such areas as risk identification, safeguarding firms' networks, securing remote customer access and fund-transfer requests, working with vendors, and detecting unauthorized activity. The agency said the questions are based in part on the "Framework for Improving Critical Infrastructure Cybersecurity" released by the National Institute of Standards and Technology in February.
What's especially notable about the SEC's announcement is that the examination isn't predicated on telling businesses what to do or presenting them with a checklist. Instead, it says that maintaining correct risk-based controls is the responsibility of any individual business, and that those controls will be unique to the business. For now, the SEC wants details about what businesses are doing and why they're doing it.
[ Read the rest of this article on Dark Reading. ]