Insurance & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:53 AM
Mathew J. Schwartz, Dark Reading
Mathew J. Schwartz, Dark Reading
Connect Directly

SEC Requests Financial Firms' Security Details

SEC asks 50 businesses for copies of their security policies, procedures, and controls in an effort to help the industry bolster cybersecurity protection.

The Securities and Exchange Commission plans to study the information security policies, procedures, and levels of preparedness of businesses in the financial services sector.

In an announcement issued earlier this month, the SEC's Office of Compliance Inspections and Examinations (OCIE) said it would be "conducting examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on areas related to cybersecurity" -- government-speak for anything involving information, computers, and security.

The agency's stated rationale for conducting the examinations is to "help identify areas where the Commission and the industry can work together to protect investors and our capital markets from cybersecurity threats." Interestingly, the agency added that "this guidance is not a rule, regulation, or statement of the commission," suggesting that the information would be amassed -- at least initially – only for information-gathering purposes.

[ 5 Areas Where Insurance CIOs Must Be Cautious. ]

What form will those examinations take? While no final version of the exam has been released, the OCIE included in its announcement a 28-question sample cyber security document that poses questions around such areas as risk identification, safeguarding firms' networks, securing remote customer access and fund-transfer requests, working with vendors, and detecting unauthorized activity. The agency said the questions are based in part on the "Framework for Improving Critical Infrastructure Cybersecurity" released by the National Institute of Standards and Technology in February.

What's especially notable about the SEC's announcement is that the examination isn't predicated on telling businesses what to do or presenting them with a checklist. Instead, it says that maintaining correct risk-based controls is the responsibility of any individual business, and that those controls will be unique to the business. For now, the SEC wants details about what businesses are doing and why they're doing it.

[ Read the rest of this article on Dark Reading. ]

Register for Insurance & Technology Newsletters