On April 15, 2014, the staff of the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert announcing an initiative to conduct examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on cybersecurity. The SEC sponsored a Cybersecurity Roundtable on March 26, 2014 and has previously identified cybersecurity as a priority for 2014.

The Risk Alert includes a sample request for information and documents that OCIE may use in conducting cybersecurity examinations. The sample is intended to “empower compliance professionals in the industry with questions and tools they can use to assess their firms’ level of preparedness, regardless of whether they are included in OCIE’s examinations.”

According to the Risk Alert, OCIE’s cybersecurity examinations will focus on:

• Cybersecurity governance;
• Identification and assessment of cybersecurity risks;
• Protection of networks and information;
• Risks associated with remote customer access and funds transfer requests;
• Risks associated with vendors and other third parties;
• Detection of unauthorized activity; and
• Experiences with certain cybersecurity threats (including, among other things, detection of malware, “denial of service” attacks and network breaches discovered since January 2013).

Firms may also have to disclose whether they updated their procedures to reflect the Identity Theft Red Flag Rules, which became effective in May 2013.

In light of the Risk Alert, registered broker-dealers and registered investment advisers should review the Risk Alert and the accompanying sample request for information and documents, evaluate their current cybersecurity practices in light of the Risk Alert, and consider whether enhancements or other changes to their current cybersecurity practices are warranted.

If you have questions concerning any of the foregoing, please contact your primary attorney in Seward & Kissel’s Investment Management Group.