On April 15, the Securities and Exchange Commission issued an unprecedented blueprint for assessing cybersecurity preparedness in the securities industry, a document that the regulator will use for examining the cybersecurity status of more than 50 broker-dealers and investment advisors. The SEC issued a detailed but high-level series of questions that will form the basis for the examinations, a document which follows in part the cybersecurity framework issued by the National Institute of Standards and Technology in February, .
The goal is to "help identify areas where the Commission and the industry can work together to protect investors and our capital markets from cybersecurity threats." While this effort is aimed at registered financial entities, the SEC has stepped up its interest in cybersecurity matters more broadly over the past few years, starting with guidance issued to publicly traded companies on how they should discuss cyber risks in their required financial filings.
Moreover, some experts who follow the SEC's interest in cybersecurity say that the agency's Division of Corporation Finance has been quietly stepping up its scrutiny of SEC filings to ensure that companies adequately disclose cyber risks, frequently requesting that companies supply additional information about existing or potential cyber risks. And late last month the SEC held a cybersecurity round table during which several of the agency's Commissioners raised the prospect of imposing minimum cybersecurity disclosure requirements beyond those contained in the existing guidance.
Aside from indicating increased interest in cybersecurity, the blueprint is notable because it represents one of the earliest efforts by a regulator to incorporate the NIST framework into a quasi-official action or endeavor. "It's one of the first endeavors that a regulatory body has made to actually begin leveraging the framework in an implementation," Patrick Miller, Partner and Managing Principal of cybersecurity consulting firm The Anfield Group, said.
Although the NIST framework is considered to be a voluntary scheme for improving cybersecurity across critical infrastructure industries, many of the participants in the framework's development, particularly Washington representatives of critical infrastructure asset owners, repeatedly asserted concerns about any language in the framework that might hint at possible regulatory requirements.
Most cybersecurity specialists, however, say that there is little to fear in the SEC's partial reliance on the NIST framework. "The SEC has done a good job of developing a broad set of guidelines for a certain set of companies," Jack Whitsitt, Principal Analyst for energy industry cybersecurity consortium EnergySec, said. "I think you're looking at baseline cybersecurity stuff" that any decent-sized firm should be prepared to handle, he added.
Miller thinks this reliance on the framework by a government agency could help cybersecurity measures by signaling to regulators in other industries that the NIST framework is a previously absent but much-needed template to help cut through the clutter of conflicting cybersecurity schemes. "The path will open up…now it will go from a dirt road to a paved road to a two-lane highway," he said, referring to the fact that the SEC's move may give other government agencies more freedom to start leveraging the framework.
The SEC itself might do well to follow its own blueprint. Yesterday the General Accounting Office (GAO) issued a report that found key weaknesses in the security controls in the SEC's own network, servers, applications, and databases. Specifically the GAO found weaknesses in the following areas:
- Access controls: SEC did not consistently protect its system boundary from possible intrusions; identify and authenticate users; authorize access to resources; encrypt sensitive data; audit and monitor actions taken on the commission’s networks, systems, and databases; and restrict physical access to sensitive assets.
- Configuration and patch management: SEC did not securely configure the system at its new data center according to its configuration baseline requirements. In addition, it did not consistently apply software patches intended to fix vulnerabilities to servers and databases in a timely manner.
- Segregation of duties: SEC did not adequately segregate its development and production computing environments. For example, development user accounts were active on the system’s production servers.
- Contingency and disaster recovery planning: Although SEC had developed contingency and disaster recovery plans, it did not ensure redundancy of a critical server.
The primary cause of the SEC's failing grade was the agency's failure to adequately oversee the work of a contractor during the migration of a key financial system to a new location.