The U.S. Securities and Exchange Commission's Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert last week on managing cybersecurity risks.1 The SEC is very serious about compliance with cybersecurity standards. The Commission recently hosted a Cybersecurity Roundtable to gather information from technology experts, registered entities and other interested parties on best practices for managing cyber-threats. Less than a month after the Roundtable, OCIE has released this Risk Alert.
OCIE announced that it will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers focusing on areas related to cybersecurity preparedness. The examinations will cover, among other areas, the governance process for managing cyber-risks, detection and assessment of cyber-risks, controls for managing identified risks, remote customer access to a registered entity's systems, and service provider relationships. To facilitate a registered entity's preparedness for the upcoming examination, OCIE has provided a sample document request, which provides information that can be used to assess a firm's level of cyber-preparedness.
Since data breaches are daily occurrences, registered entities would be wise to commence a cyber-review as soon as possible. Since corporate America is amply on notice about cyber-threats, OCIE is not likely to go easy on entities that are not prepared. For example, in the Risk Alert, OCIE asked whether a firm has updated supervisory procedures to reflect the Identity Theft Red Flag Rules that became effective over a year ago.2 If a firm has not done so, OCIE seeks a full explanation for the delinquency.
For more information about the Risk Alert or how to design a cybersecurity compliance program, please contact any of the individuals listed above or Jim Bowers, our director, Compliance Risk Services, who can be reached at (860) 275 0339 or firstname.lastname@example.org. Mr. Bowers has written extensively about cyber-threats and the National Institute of Standards and Technology's development of a cybersecurity framework (referenced in the Risk Alert). For more information on this topic, see his article "Mitigating Data Breach Liability: In Search of a Best Practice."
 OCIE National Exam Program Risk Alert (April 15, 2014), available here.
 See Day Pitney Advisory on compliance with the Identity Theft Red Flags Rule (May 10, 2013).
Jed Davis will be a featured panelist in a CLE program titled, "Implementing the New DFS Cybersecurity Regulation," (click on title to register), sponsored by the Data Law Initiative at Cardozo Law School.
Steven Cash co-authored an article, "Evolution of a Valuable Tool for Attorneys: Business Intelligence Practitioners," for the New York Law Journal.
Eliza Fromberg authored an article, "M&A Brokers - No Safe Passage Through State Registration Requirements" for the ABA Business Law Section's Blue Sky Bugle.
Shawn Wooden presented and moderated a panel discussion at the National Association of Public Pension Attorneys (NAPPA) Winter Seminar.
On January 30, Jed Davis will speak at The Knowledge Group Webcast, "Best Strategies in Protecting Your Firm Against Hackers: What Hackers Can and Cannot Do?"
Day Pitney's Family Office practice has been shortlisted for the "Law Firm of the Year" for the Family Wealth Report Awards.
Barbara Freedman Wand was quoted in the article "Banks Explore Multiple Avenues For Community Investment," in The Commercial Record.
Eliza Fromberg was quoted in an article, "Equity Crowdfunding Tops $10M Since SEC Rules Took Effect," in Law360.
Eliza Fromberg was quoted in an article, "SEC Boosts Intrastate Crowdfunding, But Hurdles Remain," in Law360. In the article, Fromberg discusses the U.S. Securities and Exchange Commission’s adoption of amendments to the intrastate offering exemption.
Jeff Clopeck was quoted in an article, "Cautious optimism seen as equity crowdfunding begins," in Massachusetts Lawyers Weekly.