Goodman suggested that the commission might publish a risk alert after it digests the findings from the second phase of its cybersecurity initiative, which he described as "a testing approach" to follow up on the first phase, a fact-finding endeavor he called "a correspondence effort."
"We learned a lot from phase one, and we've learned enough to know that there's a meaningful role our non-expert cyber examiners can play in assessing cyber preparedness," Goodman said.
"So we're going into firms and actually testing things like how they manage access controls," he explained. "Are they designed to limit access reasonably to the functions that various people play? Do they keep tabs on those access rights as people's roles change? Once someone has an access right or misappropriates an access right and gets into the system, how does the system's architecture work? Can people move around anywhere they want within that system's architecture, or is it designed so that if someone gets in either properly or improperly they're walled off to some reasonable area?"
OCIE examiners also are looking at the credentialing systems firms have in place that grant users access to their networks, in particular whether they are using multi-factor authentication.
"Hopefully, you need a token or something other than just a password," Goodman said. "Well, we're trying to see is that really used by firms consistently and across firms."
Of course, OCIE's role essentially is to serve as the eyes and ears for the commission, and Goodman was quick to point out that his division does not make policy or handle enforcement actions. But cybersecurity is very much on the radar of the unit that does bring cases against bad actors in the industry. MORE