SEC Makes Cybersecurity Examination Priority for 2016
Businesses of all sizes and in virtually every industry face the daily threat of a data breach or other cybersecurity event, as well as the challenge of managing the potentially catastrophic economic and reputational harm that can flow from such an incident. Further complicating matters is that these threats can come from any number of sources: hackers, phishers, spammers, bot-network operators, spyware and malware authors, insiders, other nations, organized criminal groups, and terrorists. SEC regulations require registered financial institutions—including broker-dealers, investment companies, and investment advisers—to adopt written policies and procedures reasonably designed to ensure the security and confidentiality of customer information and records. In the last few years, the SEC has become increasingly vocal about cybersecurity compliance. For example, SEC Commissioner Luis A. Aguilar, in his speech entitled “Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus,” noted that “boards that choose to ignore, or minimize, the importance of cybersecurity responsibility do so at their own peril.” It should come as no surprise, then, that the SEC recently announced that cybersecurity compliance will be one its selected examination priorities in 2016. The inspection and examination priorities selected by the SEC “reflect certain practices and products that [the Office of Compliance Inspections and Examinations] perceives to present potentially heightened risk to investors and/or the integrity of the U.S. capital markets.” The recent announcement is a natural continuation of the SEC’s focus on cybersecurity in the financial services industry.
In April 2014, after holding a roundtable discussion with industry representatives, the SEC announced a series of examinations to identify and assess cybersecurity risks and preparedness in the securities industry. In February 2015, the Financial Industry Regulatory Authority (“FINRA”) released a “Report on Cybersecurity Practices.” As FINRA observed, the frequency and sophistication of cyber attacks are increasing, and it is imperative to have fundamental controls in place to manage risk and reduce the threat.
Subsequently, in September 2015, the SEC launched a second initiative to examine the cybersecurity compliance and controls in place at broker-dealers and investment advisory firms. The SEC expressed concern regarding public reports that had identified cybersecurity breaches related to weaknesses in basic data controls. As a result, this second initiative focused on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident responses.
Shortly thereafter, the SEC announced that a St. Louis-based investment adviser had agreed to settle charges that it failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information of approximately 100,000 individuals, including thousands of the firm’s clients. At the time, an SEC representative emphasized that “[a]s we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients . . . Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” Without admitting any wrongdoing, the firm agreed to cease and desist and pay a $75,000 fine.
In the recent statement, the SEC indicated that, to advance the efforts announced last September, the 2016 examinations will be looking at structural risks and trends that may involve multiple firms or entire industries. The examinations will include the testing and assessment of the implementation of procedures and controls at the target companies. Companies subject to the SEC’s jurisdiction are therefore well advised to make cybersecurity and data privacy a priority in their own compliance regimes.