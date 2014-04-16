| WASHINGTON, April 16
WASHINGTON, April 16 U.S. securities regulators
have unveiled a road map that lays out how they plan to make
sure Wall Street firms are prepared to detect and prevent cyber
security attacks.
The nine-page document, posted April 15, contains examples
of the questions Securities and Exchange Commission examiners
might ask brokerages and asset managers during inspections.
The document puts firms on alert to be prepared, for
instance, to provide a comprehensive list of when they detected
malware, suffered a "denial of service" attack or discovered a
network breach since January 2013. The SEC also plans
examinations of more than 50 firms that will focus on cyber
security-specific issues.
The document's release comes several months after Jane
Jarcho, an associate director in the SEC's investment adviser
examination program, announced in a speech the agency planned
to scrutinize whether firms have policies to prevent cyber
attacks.
The SEC subsequently followed up with a March 26 roundtable
where experts debated how public companies, brokerages, asset
managers and exchanges can protect themselves from cyber
threats, and what role the U.S. government should play to ensure
such attacks are adequately disclosed.
The heightened focus on cyber attacks comes at a time when
several major companies, from Target Corp to Neiman
Marcus Group, have suffered major data breaches.
The incidents have sparked a public policy debate about how
customers should be alerted, who should bear the cost of
breaches, and how such information should be disclosed both to
government and the public.
John Reed Stark, the SEC's former chief of Internet
enforcement and now a managing director with digital risk
management consultancy Stroz Friedberg, said the SEC's detailed
list of questions is both unusual and "forward-thinking."
"With the public disclosure of this questionnaire, the SEC
is giving up the surprise of one aspect of their exam program
and opting to provide to SEC-registered financial firms a rare
chance to prepare," he said.
In addition to asking questions about past attacks, the SEC
document also indicates that examiners might gather information
about how firms protect private customer information. This
includes checking to see how customers are authenticated to
access online accounts and what security measures are in place
to protect PIN numbers.
The list of possible questions can be found here: here+Risk+Alert++%2526+Appendix+-+4.15.14.pdf
(Reporting by Sarah N. Lynch. Editing by Andre Grenon)