The U.S. Securities and Exchange Commission's Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert last week on managing cybersecurity risks.1 The SEC is very serious about compliance with cybersecurity standards. The Commission recently hosted a Cybersecurity Roundtable to gather information from technology experts, registered entities and other interested parties on best practices for managing cyber-threats. Less than a month after the Roundtable, OCIE has released this Risk Alert.
OCIE announced that it will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers focusing on areas related to cybersecurity preparedness. The examinations will cover, among other areas, the governance process for managing cyber-risks, detection and assessment of cyber-risks, controls for managing identified risks, remote customer access to a registered entity's systems, and service provider relationships. To facilitate a registered entity's preparedness for the upcoming examination, OCIE has provided a sample document request, which provides information that can be used to assess a firm's level of cyber-preparedness.
Since data breaches are daily occurrences, registered entities would be wise to commence a cyber-review as soon as possible. Since corporate America is amply on notice about cyber-threats, OCIE is not likely to go easy on entities that are not prepared. For example, in the Risk Alert, OCIE asked whether a firm has updated supervisory procedures to reflect the Identity Theft Red Flag Rules that became effective over a year ago.2 If a firm has not done so, OCIE seeks a full explanation for the delinquency.
For more information about the Risk Alert or how to design a cybersecurity compliance program, please contact any of the individuals listed above or Jim Bowers, our director, Compliance Risk Services, who can be reached at (860) 275 0339 or firstname.lastname@example.org. Mr. Bowers has written extensively about cyber-threats and the National Institute of Standards and Technology's development of a cybersecurity framework (referenced in the Risk Alert). For more information on this topic, see his article "Mitigating Data Breach Liability: In Search of a Best Practice."
 OCIE National Exam Program Risk Alert (April 15, 2014), available here.
 See Day Pitney Advisory on compliance with the Identity Theft Red Flags Rule (May 10, 2013).
On May 25, Dina Sanna and Carl Merino were panelists at an event hosted by Citco.
Jed Davis will be a featured panelist in a CLE program titled, "Implementing the New DFS Cybersecurity Regulation," (click on title to register), sponsored by the Data Law Initiative at Cardozo Law School.
On April 25, 2017, Jed Davis presented at the Family Office Association's Spring Global Summit held at Tamarack Country Club in Greenwich, CT.
Steven Cash co-authored an article, "Evolution of a Valuable Tool for Attorneys: Business Intelligence Practitioners," for the New York Law Journal.
Jed Davis was quoted in an article, "5 Ways To Keep Cybersecurity Woes From Derailing A Deal," published in Law360.
Partners Tina Albright, Von Sanborn and Warren Whitaker have been named to Legal Week's Private Client Global Elite list for 2017 and Rebecca Tunney was named to the "Ones to Watch" list.
Day Pitney Press Release
Jed Davis was quoted in the article entitled "Family Offices Vulnerable to Growing Cyber Threats," which was published in mid-June by the Financial Times' online magazine FundFire.
Day Pitney Press Release