WASHINGTON Jan 30 U.S. regulators said Thursday
they plan to scrutinize whether asset managers have policies to
prevent and detect cyber attacks and are properly safeguarding
against security risks that could arise from vendors having
access to their systems.
"We will be looking to see what policies are in place to
prevent, detect and respond to cyber attacks," said Jane Jarcho,
the national associate director for the Securities and Exchange
Commission's investment adviser exam program.
"We will be looking at policies on IT training, vendor
access and vendor due diligence, and what information you have
on any vendors," she added, in a presentation to a group of
compliance professionals at SEC headquarters in Washington, D.C.
The SEC's upcoming 2014 review of cyber security policies at
asset managers will be conducted as part of the agency's routine
examinations of investment advisers and investment companies,
such as mutual funds.
Inspections are designed to catch major problems before they
bubble up; however, exams can also lead to enforcement action if
the SEC uncovers egregious activity or repeat violations.
The new details revealed on Thursday about the SEC's focus
on asset managers' cyber security policies come in the wake of
attacks on several well-known retailers, including Target Corp
and Neiman Marcus.
The arts and crafts chain Michaels has also said its network
may have been breached, and the FBI has warned retailers to
expect more attacks.
On Wednesday, Target revealed that the theft of credentials
from an undisclosed vendor helped the attackers gain access to
about 40 million credit and debit card records and another 70
million customer records.
Cyber thieves have been using vendors as a route to go after
high-value targets for several years.
In 2011, hackers attempted to break into the networks of
defense contractor Lockheed Martin Corp after stealing
information from EMC Corp's RSA security division that
allowed them to duplicate SecurID electronic keys.
Last year hackers attacked security software maker Bit9,
then used stolen data to forge digital signatures on malicious
software so they could launch a second round of attacks on
The decision by the SEC to focus on cyber issues in its
inspections of asset managers pre-dated the Target incident.
But since the Target breach was made public in mid-December,
some U.S. lawmakers and law enforcement officials have ramped up
their focus on the issue and called for Congress to pass
legislation that would require retailers and other private
businesses to inform government agencies and customers about
In 2011, in response to another rash of cyber attacks, the
SEC drafted some informal staff-level guidance for public
companies to use when considering whether to disclose cyber
attacks and their impact on a company's financial condition.
In addition, most states have laws on the books that require
companies to tell customers about breaches, even if they are
However, critics say this disparate regime is harmful for
consumers and investors because there is no unifying federal
standard for when businesses must report data breaches.
In April, when SEC Chair Mary Jo White took over the helm of
the agency, U.S. Senate Commerce Committee Chairman Jay
Rockefeller asked her to consider releasing more formalized
commission-level guidance to help ensure investors get
information they need.
On the sidelines of Thursday's event, White said she felt
the guidance the commission issued in 2011 has been "helpful in
improving disclosures." However, she added, she plans to
"continuously review" the issue to see if the SEC should do
more, as Rockefeller is suggesting.
Meanwhile, Jarcho said that SEC examiners are planning to
also make checks to ensure that asset managers are properly
reporting major "material" cyber events to regulators.
"We recognize that as we sit here, there are probably
thousands if not millions of attempts right now going on, but
they are minor," Jarcho told the audience. "We don't expect each
and every one to be reported," she added.