The Securities and Exchange Commission (SEC) plans to review the cyber defenses of 50 Wall Street broker-dealers and investment advisers to determine whether they are prepared for potential cyber threats.
The SEC Office of Compliance Inspections and Examinations (OCIE) will review each company's tools and policies regarding governance, risk identification and assessment, network and data security controls, remote access and third party cyber risks.
In a security alert released last week, the SEC said the effort was launched after participants at an SEC-sponsored roundtable discussion in March stressed the importance of strong cybersecurity controls at Wall Street firms.
During the roundtable, SEC Commissioner Luis Aguilar recommended that the Commission collect information from broker-dealers and other financial firms about their cyber readiness. The SEC will follow-up with information on how it can can help the financial industry bolster security.
"OCIE's cybersecurity initiative is designed to assess cybersecurity preparedness in the securities industry and to obtain information about the industry's recent experiences with certain types of cyber threats," the alert noted.
The Commission did not respond to requests from Computerworld for more details on the planned exams, or a list of the firms to be tested.
The OCIE is responsible for administering the SEC's National Examination Program, which includes a series of examinations and inspections on companies in the securities industry.
The goal is to ensure that broker-dealers, the national securities exchanges, transfer agents, clearing agencies, investment advisers and others in the U.S. securities industry have proper controls in place.
This is the first time the Commission has included cybersecurity in its list of annual examinations, which underscores a high level of concern in the industry over disruptions stemming from cyber attacks.
The SEC's alert last week included a fairly lengthy sampling of the kind of questions that financial companies targeted for assessment can expect from the Commission.
For instance, the SEC will seek answers to questions about the best practices in the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Security.
Other questions touch on specific security controls.
For example, a section on cyber risk identification requires companies to provide specifics on the frequency with which their computing and network assets are inventoried. The examiners will also look for maps of network resources and data flows, and details on all connections with external firms.
Companies targeted for examination can also expect to be asked about the completeness of their written security policies, their business continuity plans, training programs, the frequency of their risk assessments and the group responsible for carrying out the assessments, the SEC said.
Questions on network and data security controls include those pertaining to access control, user authentication, escalation of user privileges and network segmentation.
John Stark, managing director of Stroz Friedberg, a security intelligence and risk management firm said i's unusual for the SEC to publicly release a list of questions to be asked in an upcoming review.
Stark, a former chief of the SEC's office of Internet enforcement, speculated that one reason for the release may be that it's the first thorough SEC assessment of cyber security controls in the securities industry. Past reviews focused mostly on how financial companies are protecting customer data, he said.
The new exams appear more detailed and exhaustive. "I don't think they have been this focused, this broad, this creative or this exhaustive," he said. "This is a very well written questionnaire."
Tipping regulated entities about the content of the exam likely gives financial firms a chance to get plug holes in their security posture before SEC regulators begin the testing, he said.
Companies that get low marks will likely get deficiency letters from the SEC. In some cases, the Commission could also refer a company to the appropriate enforcement agency, Stark said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.