SEC Pushes Cybersecurity Awareness with OCIE Cybersecurity Initiative

On April 15, 2014, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert (the “Risk Alert”) pertaining to its initiative to assess cybersecurity preparedness in the securities industry. The OCIE willbe conducting examinations of more than 50 registered broker-dealers and registered investment

Cyber Security Updateadvisors, focusing on areas related to cybersecurity. This initiative is designed to assess cybersecurity preparedness in the securities industry and to obtain information about the cyber threats that have recently affected the industry. C-level executives, in-house counsel, security officers and risk management officers should all take note.

To provide some insight into how the OCIE will analyze a firm’s cybersecurity preparedness, the OCIE provided a sample cybersecurity information request list as an appendix to its Risk Alert. That information request list includes 28 different questions that aim to empower compliance professionals within companies with questions and tools they can use to assess their respective firms’ cybersecurity preparedness. These questions and tools should be used regardless of whether the firm is included in the OCIE examinations outlined by this Risk Alert.

The sample information request list in the Risk Alert covers the following six topics:

  • Identification of cybersecurity risks and cybersecurity governance
  • Protection of firm networks and information
  • Risks associated with remote customer access and funds transfer requests
  • Risks associated with vendors and other third parties
  • Detection of unauthorized activity
  • Other cybersecurity threats

While the Risk Alert is not a regulation or a ruling, it could potentially be a preface to coming regulation in this area. It is likely that failing to at least address the information request list items from the Risk Alert will cause the SEC to exercise more scrutiny during an examination.

Going Forward

Firms should incorporate the sample information requests included in the Risk Alert into their risk management policies. Failure to at least discuss the issues outlined in this questionnaire might indicate fault on the part of the firm in the event of a cybersecurity breach. Wise managers will discuss this issue and review the sample information request list now. Firms should implement a documented security policy, obtain cybersecurity insurance, and begin addressing the items from the Risk Alert questionnaire that they currently cannot answer. Better to get started on this now, than when the SEC comes knocking.

Please contact Ward Bondurant ( or Larry Kunin ( if you have questions about the information in this article.


The information presented and contained within this article is provided as general information only, and does not, and is not intended to constitute legal, employment or tax advice. Any opinions expressed within this article are solely the opinion of the individual author(s).