U.S. SEC releases cyber security examination blueprint

By Sarah N. Lynch

WASHINGTON (Reuters) - U.S. securities regulators have unveiled a road map that lays out how they plan to make sure Wall Street firms are prepared to detect and prevent cyber security attacks.

The nine-page document, posted April 15, contains examples of the questions Securities and Exchange Commission examiners might ask brokerages and asset managers during inspections.

The document puts firms on alert to be prepared, for instance, to provide a comprehensive list of when they detected malware, suffered a "denial of service" attack or discovered a network breach since January 2013. The SEC also plans examinations of more than 50 firms that will focus on cyber security-specific issues.

The document's release comes several months after Jane Jarcho, an associate director in the SEC's investment adviser examination program, announced in a speech the agency planned to scrutinize whether firms have policies to prevent cyber attacks. [ID:nL2N0L416A]

The SEC subsequently followed up with a March 26 roundtable where experts debated how public companies, brokerages, asset managers and exchanges can protect themselves from cyber threats, and what role the U.S. government should play to ensure such attacks are adequately disclosed. [ID:nL1N0MN0RB]

The heightened focus on cyber attacks comes at a time when several major companies, from Target Corp to Neiman Marcus Group, have suffered major data breaches.

The incidents have sparked a public policy debate about how customers should be alerted, who should bear the cost of breaches, and how such information should be disclosed both to government and the public.

John Reed Stark, the SEC's former chief of Internet enforcement and now a managing director with digital risk management consultancy Stroz Friedberg, said the SEC's detailed list of questions is both unusual and "forward-thinking."

"With the public disclosure of this questionnaire, the SEC is giving up the surprise of one aspect of their exam program and opting to provide to SEC-registered financial firms a rare chance to prepare," he said.

In addition to asking questions about past attacks, the SEC document also indicates that examiners might gather information about how firms protect private customer information. This includes checking to see how customers are authenticated to access online accounts and what security measures are in place to protect PIN numbers.

The list of possible questions can be found here: http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf

(Reporting by Sarah N. Lynch. Editing by Andre Grenon)