SEC seeks data on cyber security policies at Wall Street firms

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.networkworld.com/news/2014/042114-sec-seeks-data-on-cyber-280877.html?source=nww_rss

The Securities and Exchange Commission (SEC) plans to review the cyber
defenses of 50 Wall Street broker-dealers and investment advisers to
determine whether they are prepared for potential cyber threats.

The SEC Office of Compliance Inspections and Examinations (OCIE) will
review each company's tools and policies regarding governance, risk
identification and assessment, network and data security controls, remote
access and third party cyber risks.

In a security alert released last week, the SEC said the effort was
launched after participants at an SEC-sponsored roundtable discussion in
March stressed the importance of strong cybersecurity controls at Wall
Street firms.

During the roundtable, SEC Commissioner Luis Aguilar recommended that the
Commission collect information from broker-dealers and other financial
firms about their cyber readiness. The SEC will follow-up with information
on how it can can help the financial industry bolster security.

"OCIE's cybersecurity initiative is designed to assess cybersecurity
preparedness in the securities industry and to obtain information about the
industry's recent experiences with certain types of cyber threats," the
alert noted.

The Commission did not respond to requests from Computerworld for more
details on the planned exams, or a list of the firms to be tested.

The OCIE is responsible for administering the SEC's National Examination
Program, which includes a series of examinations and inspections on
companies in the securities industry.

The goal is to ensure that broker-dealers, the national securities
exchanges, transfer agents, clearing agencies, investment advisers and
others in the U.S. securities industry have proper controls in place.

This is the first time the Commission has included cybersecurity in its
list of annual examinations, which underscores a high level of concern in
the industry over disruptions stemming from cyber attacks.

The SEC's alert last week included a fairly lengthy sampling of the kind of
questions that financial companies targeted for assessment can expect from
the Commission.

For instance, the SEC will seek answers to questions about the best
practices in the National Institute of Standards and Technology's (NIST)
Framework for Improving Critical Infrastructure Security.

Other questions touch on specific security controls.

For example, a section on cyber risk identification requires companies to
provide specifics on the frequency with which their computing and network
assets are inventoried. The examiners will also look for maps of network
resources and data flows, and details on all connections with external
firms.

Companies targeted for examination can also expect to be asked about the
completeness of their written security policies, their business continuity
plans, training programs, the frequency of their risk assessments and the
group responsible for carrying out the assessments, the SEC said.

Questions on network and data security controls include those pertaining to
access control, user authentication, escalation of user privileges and
network segmentation.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!