The SEC’s Office of Compliance Inspections and Examinations has announced that it will conduct cybersecurity examinations of more than 50 broker-dealers and investment advisers. The sweep exams will focus on identification and assessment of cybersecurity risks, protection of networks and information, remote access to funds, vendor risks, detection of unauthorized activity, experience with cybersecurity threats, and firm governance. OCIE also released a 7-page sample request list to “empower compliance professionals … regardless of whether they are included in OCIE’s examinations.” OCIE has also said that it would assess cybersecurity during routine examinations.
OUR TAKE: The request list (and its required activities) will challenge compliance officers because it demands technical knowledge outside the regulatory expertise of compliance and regulatory staff. Ultimately, Compliance may need to deputize somebody in IT to help. The required activities may also prove very costly to smaller firms.