SEC examiners to review how asset managers fend off cyber attacks

By Sarah N. Lynch

WASHINGTON (Reuters) - U.S. regulators said Thursday they plan to scrutinize whether asset managers have policies to prevent and detect cyber attacks and are properly safeguarding against security risks that could arise from vendors having access to their systems.

"We will be looking to see what policies are in place to prevent, detect and respond to cyber attacks," said Jane Jarcho, the national associate director for the Securities and Exchange Commission's investment adviser exam program.

"We will be looking at policies on IT training, vendor access and vendor due diligence, and what information you have on any vendors," she added, in a presentation to a group of compliance professionals at SEC headquarters in Washington, D.C.

The SEC's upcoming 2014 review of cyber security policies at asset managers will be conducted as part of the agency's routine examinations of investment advisers and investment companies, such as mutual funds.

Inspections are designed to catch major problems before they bubble up; however, exams can also lead to enforcement action if the SEC uncovers egregious activity or repeat violations.

The new details revealed on Thursday about the SEC's focus on asset managers' cyber security policies come in the wake of attacks on several well-known retailers, including Target Corp and Neiman Marcus.

The arts and crafts chain Michaels has also said its network may have been breached, and the FBI has warned retailers to expect more attacks.

On Wednesday, Target revealed that the theft of credentials from an undisclosed vendor helped the attackers gain access to about 40 million credit and debit card records and another 70 million customer records.

Cyber thieves have been using vendors as a route to go after high-value targets for several years.

In 2011, hackers attempted to break into the networks of defense contractor Lockheed Martin Corp after stealing information from EMC Corp's RSA security division that allowed them to duplicate SecurID electronic keys.

Last year hackers attacked security software maker Bit9, then used stolen data to forge digital signatures on malicious software so they could launch a second round of attacks on Bit9's customers.

The decision by the SEC to focus on cyber issues in its inspections of asset managers pre-dated the Target incident.

But since the Target breach was made public in mid-December, some U.S. lawmakers and law enforcement officials have ramped up their focus on the issue and called for Congress to pass legislation that would require retailers and other private businesses to inform government agencies and customers about major breaches.

In 2011, in response to another rash of cyber attacks, the SEC drafted some informal staff-level guidance for public companies to use when considering whether to disclose cyber attacks and their impact on a company's financial condition.

In addition, most states have laws on the books that require companies to tell customers about breaches, even if they are privately held.

However, critics say this disparate regime is harmful for consumers and investors because there is no unifying federal standard for when businesses must report data breaches.

In April, when SEC Chair Mary Jo White took over the helm of the agency, U.S. Senate Commerce Committee Chairman Jay Rockefeller asked her to consider releasing more formalized commission-level guidance to help ensure investors get information they need.

On the sidelines of Thursday's event, White said she felt the guidance the commission issued in 2011 has been "helpful in improving disclosures." However, she added, she plans to "continuously review" the issue to see if the SEC should do more, as Rockefeller is suggesting.

Meanwhile, Jarcho said that SEC examiners are planning to also make checks to ensure that asset managers are properly reporting major "material" cyber events to regulators.

"We recognize that as we sit here, there are probably thousands if not millions of attempts right now going on, but they are minor," Jarcho told the audience. "We don't expect each and every one to be reported," she added.

(Reporting by Sarah N. Lynch; Editing by Nick Zieminski)