The Securities and Exchange Commission (SEC) plans to review the cyber defenses of 50 Wall Street broker-dealers and investment advisers to determine whether they are prepared for potential cyber threats.
The SEC Office of Compliance Inspections and Examinations (OCIE) will review each company's tools and policies regarding governance, risk identification and assessment, network and data security controls, remote access and third party cyber risks.
In a security alert released last week, the SEC said the effort was launched after participants at an SEC-sponsored roundtable discussion in March stressed the importance of strong cybersecurity controls at Wall Street firms.
During the roundtable, SEC Commissioner Luis Aguilar recommended that the Commission collect information from broker-dealers and other financial firms about their cyber readiness. The SEC will follow-up with information on how it can can help the financial industry bolster security.
"OCIE's cybersecurity initiative is designed to assess cybersecurity preparedness in the securities industry and to obtain information about the industry's recent experiences with certain types of cyber threats," the alert noted.
The Commission did not respond to requests from Computerworld for more details on the planned exams, or a list of the firms to be tested.
The OCIE is responsible for administering the SEC's National Examination Program, which includes a series of examinations and inspections on companies in the securities industry.
The goal is to ensure that broker-dealers, the national securities exchanges, transfer agents, clearing agencies, investment advisers and others in the U.S. securities industry have proper controls in place.
This is the first time the Commission has included cybersecurity in its list of annual examinations, which underscores a high level of concern in the industry over disruptions stemming from cyber attacks.
The SEC's alert last week included a fairly lengthy sampling of the kind of questions that financial companies targeted for assessment can expect from the Commission.
For instance, the SEC will seek answers to questions about the best practices in the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Security.
Other questions touch on specific security controls.
For example, a section on cyber risk identification requires companies to provide specifics on the frequency with which their computing and network assets are inventoried. The examiners will also look for maps of network resources and data flows, and details on all connections with external firms.
Companies targeted for examination can also expect to be asked about the completeness of their written security policies, their business continuity plans, training programs, the frequency of their risk assessments and the group responsible for carrying out the assessments, the SEC said.
Questions on network and data security controls include those pertaining to access control, user authentication, escalation of user privileges and network segmentation.
Sign up for Computerworld eNewsletters.