Last week, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) released its examination priorities for 2015. One area of focus will be assessing cybersecurity controls. TheOCIE’s letter [1] to national exchanges sets out its examination approach for the coming year.
The OCIE’s focus on cybersecurity compliance and controls tracks similar plans released January 6, 2015 by the Financial Industry Regulatory Authority (“FINRA”) in its annual Regulatory and Examinations Priorities Letter [2].
FINRA reports it will review firms’ approaches to cybersecurity risk management, including their governance structures and processes for conducting risk assessments and addressing the output of those assessments.
In January 2014, FINRA initiated a sweep to better understand the types of threats its member firms are subject to, as well as their responses to those threats. It expects to publish the results of that sweep early this year. That report will contain best practices firms should consider in developing and implementing their cyber-security programs including the use of frameworks and standards, the role of risk assessments, the identification of critical assets, and the implementation of controls to protect assets.
With heightened scrutiny on cybersecurity over the coming year by regulatory bodies such as the SEC and FINRA, executives and corporate boards should be reminded of the importance of implementing and maintaining adequate cybersecurity controls.