October 17, 2019

October 16, 2019

Subscribe to Latest Legal News and Analysis

October 15, 2019

Subscribe to Latest Legal News and Analysis

October 14, 2019

Subscribe to Latest Legal News and Analysis

August 2017 Cybersecurity & Risk Alert from SEC

On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued its third National Exam Program Risk Alert of the 2017 calendar year, detailing OCIE’s findings and observations from its Cybersecurity 2 Initiative. This Cybersecurity 2 Initiative, the name for OCIE’s second round of cybersecurity examinations, builds on OCIE’s prior 2015 Cybersecurity 1 Initiative, and includes more robust validation and testing of cybersecurity controls to evaluate how well firms implement and follow their cybersecurity-related policies and procedures.

This latest OCIE Risk Alert summarizes the exam staff’s findings after conducting examinations of 75 firms, consisting of broker-dealers, investment advisers and investment companies registered with the SEC and includes three key sections. First, the staff provided a summary of its exam observations, including discussions of the use by registrants of risk assessments, penetration testing, tools to monitor loss of personal data, and other policies, procedures and methods for dealing with cybersecurity and related business continuity issues. Second, the staff noted that the vast majority of examinations uncovered one or more cybersecurity-related issues, and highlighted certain of the more prevalent issues observed by the staff. Finally, and perhaps most notably, the staff provided a list of “several elements that were included in the policies and procedures of firms that the staff believes had implemented robust controls.” When creating and implementing cybersecurity programs, other registrants may benefit from considering these good practices identified by the staff. We will be publishing a more detailed summary and analysis of the August 2017 Risk Alert, and in particular these guideposts for registrants consideration, in the coming week.

The August 2017 Risk Alert is the second cybersecurity-related Risk Alert issued by OCIE this year (the May 2017 Risk Alert dealt with ransomware issues), and with the September 2015 Risk Alert is the fifth expressly dealing with cybersecurity since 2014 when OCIE announced its Cybersecurity Preparedness Initiative, the results of which were summarized in a February 2015 Risk Alert. It is safe to say that not only has the SEC’s interest in cybersecurity issues faced by broker-dealers, investment advisers and investment companies not waned but, as is the case in almost every industry, it has intensified.

Financial industry participants registered with or subject to oversight by the SEC need to take notice of the spate of information on this topic produced by the SEC and be mindful of the concepts discussed by OCIE in these releases when creating, reviewing and/or modifying their cybersecurity policies and procedures to comply with and meet SEC regulatory requirements and expectations.

©2019 Greenberg Traurig, LLP. All rights reserved.


About this Author

Richard Cutshall, Greenberg Traurig Law Firm, Chicago, Corporate, Finance and Real Estate Law Attorney

Richard M. Cutshall has experience representing clients in a variety of investment management, corporate, and general securities matters, including the representation of mutual funds and other funds registered under the Investment Company Act of 1940, fund independent directors, unregistered investment companies, federally registered and state registered investment advisers, broker-dealers, and an array of public and private companies. 

Rich represents clients in all aspects of investment company practice, including organizing and forming new...

Arthur Don, Greenberg Traurig Law Firm, Chicago, Corporate and Finance Law Attorney

Arthur Don is the Co-Chair of the Investment Regulation Group. He has more than 30 years of experience representing mutual funds, public investment companies, fund independent directors, investment advisers, private investment funds, private equity funds, real estate funds, broker-dealers and public companies in a variety of sophisticated securities transactions. His experience includes various aspects of investment company practice, from organizing new funds through acquisitions and mergers of funds. Arthur has represented issuers and underwriters in numerous public offerings. He also frequently advises independent directors on fiduciary duties, and advises clients on compliance policy issues.


  • Investment management

  • Securities transactions

  • Private equity and venture capital

  • Real estate funds

  • Corporate compliance and social responsibility

  • Pension funds and institutional investors

  • Investment funds