Strategies for the SEC cybersecurity exam

Submitted by Marc.Jones on July 26, 2019

Rob Ross:
Four or five years ago, we just began embarking on upgrading our technology. And over the last five years, we’ve really embraced it in a way that we hadn’t before. We feel that we’ve really, not only caught up to, but sort of leapfrogged over a lot of the technological issues that firms are having.
With the advent of our technology upgrades, we just began to recognize that there was a business risk in having data going to different technology platforms that wasn’t entirely housed on our own network anymore, which had been the case in the past. So, there was this awareness from management that we would have to safeguard this information. And then at, almost at the same time, the SEC really took up the issue on a national level. And so, it became sort of a dual mandate, one from internal and one from the government, establishing standards through its April 2014 cybersecurity initiative, which really set out some of the baseline standards that the SEC was, from that point on, expecting firms to put into place.
So, interestingly enough, we had been tackling the aspects of the SEC initiative for about a year when we got the proverbial knock on the door from the SEC. In our case, it was a little bit unique in the sense that we began a regulatory exam first, and even that process was a little bit surreptitious on the part of the government. But essentially, we began a routine regulatory exam, and only one week into responding to what is a pretty heavy burden as far as document requests go, they informed us that we were also being chosen for a parallel cybersecurity exam which, we didn’t know at that point, but is essentially an entirely separate and parallel exam run by a different department and by the SEC examiners.

So, if I could offer one piece of advice, I would say that for those firms that have an outside IT vendor, that person, that group, must be available for you at those times when the cybersecurity exam is at hand. Without them, you cannot possibly respond adequately to the conversation. The SEC has hired cybersecurity staff that is very well versed in these issues, not cybersecurity as a standalone topic, but also about systems and networks, and they really are hardware and software experts. And so, the conversation that takes place in these interviews, which is really the heart of the cybersecurity exam, is probably 95% technical. And, in that regard, you have to have qualified people who understand your network and who have helped you build it and maintain it to be onsite for those interviews. They want to know the nuts and bolts of what you’ve done to protect the network from a perspective, as well as a training perspective in your office.

By the time we actually met with the regulators a few months later, we had not only the results, but the potential remediation that needed to be done, where, let’s say, the technology upgrades that were suggested; all of that was already happening as we were meeting with the cybersecurity examination regulators.

Every experience is unique. You may get more than one examiner. They may be there for shorter bursts of time. They may be there more drawn out. So, it’s hard to generalize about what the experience will be like. But I can say that when the cybersecurity examiners come, they will be very well prepared, very specific, and have great knowledge about the subject matter.

Show Social Media
Include in Schwab Investing Insights email alerts