September 19, 2017

September 18, 2017

Subscribe to Latest Legal News and Analysis

August 2017 Cybersecurity & Risk Alert from SEC

On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued its third National Exam Program Risk Alert of the 2017 calendar year, detailing OCIE’s findings and observations from its Cybersecurity 2 Initiative. This Cybersecurity 2 Initiative, the name for OCIE’s second round of cybersecurity examinations, builds on OCIE’s prior 2015 Cybersecurity 1 Initiative, and includes more robust validation and testing of cybersecurity controls to evaluate how well firms implement and follow their cybersecurity-related policies and procedures.

This latest OCIE Risk Alert summarizes the exam staff’s findings after conducting examinations of 75 firms, consisting of broker-dealers, investment advisers and investment companies registered with the SEC and includes three key sections. First, the staff provided a summary of its exam observations, including discussions of the use by registrants of risk assessments, penetration testing, tools to monitor loss of personal data, and other policies, procedures and methods for dealing with cybersecurity and related business continuity issues. Second, the staff noted that the vast majority of examinations uncovered one or more cybersecurity-related issues, and highlighted certain of the more prevalent issues observed by the staff. Finally, and perhaps most notably, the staff provided a list of “several elements that were included in the policies and procedures of firms that the staff believes had implemented robust controls.” When creating and implementing cybersecurity programs, other registrants may benefit from considering these good practices identified by the staff. We will be publishing a more detailed summary and analysis of the August 2017 Risk Alert, and in particular these guideposts for registrants consideration, in the coming week.

The August 2017 Risk Alert is the second cybersecurity-related Risk Alert issued by OCIE this year (the May 2017 Risk Alert dealt with ransomware issues), and with the September 2015 Risk Alert is the fifth expressly dealing with cybersecurity since 2014 when OCIE announced its Cybersecurity Preparedness Initiative, the results of which were summarized in a February 2015 Risk Alert. It is safe to say that not only has the SEC’s interest in cybersecurity issues faced by broker-dealers, investment advisers and investment companies not waned but, as is the case in almost every industry, it has intensified.

Financial industry participants registered with or subject to oversight by the SEC need to take notice of the spate of information on this topic produced by the SEC and be mindful of the concepts discussed by OCIE in these releases when creating, reviewing and/or modifying their cybersecurity policies and procedures to comply with and meet SEC regulatory requirements and expectations.

©2017 Greenberg Traurig, LLP. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Richard Cutshall, securities exchange commission attorney Greenberg Trauirg, corporate governance lawyer, mutual funds counsel
Shareholder

Richard M. Cutshall has experience representing clients in a variety of investment management, corporate, and general securities matters, including the representation of mutual funds and other funds registered under the Investment Company Act of 1940, fund independent directors, unregistered investment companies, federally registered and state registered investment advisers, broker-dealers, and an array of public and private companies. 

Rich represents clients in all aspects of investment company practice, including organizing and forming new...

312-476-5121
Arthur Don, Greenberg Traurig, mutual funds attorney, public investment company counsel, private equity lawyer, mergers law
Shareholder

Arthur Don has more than 30 years of experience representing mutual funds, public investment companies, fund independent directors, investment advisers, private investment funds, private equity funds, real estate funds, broker-dealers and public companies in a variety of sophisticated securities transactions. His experience includes various aspects of investment company practice, from organizing new funds through acquisitions and mergers of funds. Arthur has represented issuers and underwriters in numerous public offerings. He also frequently advises independent directors on fiduciary duties, and advises clients on compliance policy issues.

Areas of Concentration:

  • Investment management
  • Securities
  • Private equity and venture capital
  • Real estate funds
  • Corporate compliance and social responsibility
  • Pension funds and institutional investors
  • Investment funds
312-456-8400
Elizabeth C. Rogers, Cybersecurity and Privacy Attorney, Greenberg Traurig Law firm
Shareholder

Elizabeth C. Rogers was appointed as the first Chief Privacy Officer in Texas state government prior to joining Greenberg Traurig. Elizabeth’s background places her in a very small percentage of law firm business lawyers in the country who has first-hand experience providing practical legal services and solutions for cybersecurity and privacy requirements with a team of information security and technology professionals. Elizabeth’s in-house role involved collaborating with members of executive leadership and department managers, the Office of General Counsel, Internal...

512-320-7256