SEC plans cybersecurity sweep

Over 50 registered advisers and broker-dealers will be visited by SEC inspectors looking for cybersecurity vulnerabilities. 

The US Securities and Exchange Commission (SEC) is on a mission to better understand the financial system’s ability to withstand cyber-attacks. As part of that initiative, the agency will soon pay a visit to over 50 registered investment advisers and broker-dealers to ask about their IT systems and cybersecurity vulnerabilities, according to a SEC risk alert issued last week.

At this stage of the sweep the SEC is only in “information gathering mode” and not necessarily looking to line up cases for enforcement, according to multiple compliance consultants interpreting the alert.

It is understood the SEC has already been sending registered firms cybersecurity questionnaires over the past few weeks, implying that the sweep may reach more than just the 50 or so firms designated for an exam. The SEC declined to comment. 

The commission is making no secret about what types of questions they plan to ask during these onsite visits. In what some commentators describe as a rare move, the risk alert included a seven page sample request list meant to “empower compliance professionals” to prepare for inspectors’ questions and properly review their systems.

The risk alert follows a cybersecurity roundtable the SEC hosted in March where panelists encouraged legislators to set clear rules about how GPs can share cybersecurity information without breaking privacy laws; the adoption of principles-based cybersecurity regulations; and for the SEC to write guidelines on how firms can proactively share cybersecurity threat information with each other and the Financial Services Information Sharing and Analysis Center, which was launched in 1999 to help government and industry share information about cyber threats.


Fund advisers should use the sample document request list to perform a gap analysis on their cybersecurity, said Barry Schwartz, a partner with compliance consultancy firm ACA Compliance Group.

“The chief compliance officer should sit down with senior management and their IT professionals to figure out what the firm’s answers might look like in response to each question on the sample request list.”

A challenge for the CCO – who usually has a legal or regulatory background – in conducting that gap analysis may be understanding the technical details and jargon around cybersecurity that is more familiar to IT professionals, said Schwartz.

In February, the US National Institute of Standards and Technology released its “Framework for Improving Critical Infrastructure Cybersecurity” to help industry acquire more technical knowledge on cybersecurity.

Recent research from Stroz-Friedberg, a risk consultancy, illustrates how prevalent cybersecurity risk is today. Roughly 58 percent of senior managers admit to accidentally sending sensitive information to the wrong person, according to a survey of 764 US companies with more than 20 employees. Even more senior managers (87 percent) admit to engaging in the risky behavior of regularly uploading work files to a personal email or cloud account.