In Outlining Its 2020 Examination Priorities, SEC Expresses Interest in Alternative Data and Cybersecurity Risks
On January 7, 2019, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) announced its 2020 examination priorities. In doing so, OCIE identified certain areas of technology-related concern, and in particular, on the issue of alternative data and cybersecurity. [For a more detailed review of OCIE’s exam priorities, see the Client Alert posted on our firm’s website].
Alternative Data: For the first time, OCIE has publicly listed alternative data as an examination priority, stating that “examinations will focus on firms’ use of these data sets and technologies to interact with and provide services to investors, firms, and other service providers and assess the effectiveness of related compliance and control functions.”
Buy-side funds using alternative data should expect a heightened level of scrutiny from OCIE on this issue. Such entities should be ready to explain, among other things, its due diligence procedures for evaluating and vetting alternative data vendors and their techniques and contractual approaches used with such vendors, as well as protections against receipt of personally identifiable information (PII) and other potential MNPI considerations.
Cybersecurity: Following the SEC’s 2018 updated guidance on public company cybersecurity disclosures, information security remains a prominent focus of OCIE across its entire examination program. Specifically, OCIE stated that examinations will center on things such as “proper configuration of network storage devices, information security governance generally, and retail trading information security.” Moreover, OCIE announced that it would focus on vendor oversight practices, including cloud storage relationships, including “the controls surrounding online access and mobile application access to customer brokerage account information.” Lastly, the OCIE referenced that one of its priorities would be to examine the safeguards surrounding data disposal, specifically, the risks of retired hardware containing client information.
Expect a heightened level of scrutiny from OCIE on all of the foregoing. Entities should review their cybersecurity practices, including their agreements with third party vendors and service providers, in anticipation of the questions OCIE is likely to ask.
Blockchain and Digital Currency: OCIE stated that the rapid growth of digital assets present various risks, and that it would continue to “examine SEC-registered market participants” engaged in certain cryptocurrency activities and transfer agents developing blockchain technology, among other things. For a more thorough discussion of the blockchain and digital currency-related issues outlined by OCIE, please see the post on our Blockchain and the Law blog.