May 20, 2018

May 18, 2018

Subscribe to Latest Legal News and Analysis

SEC’s 2018 Exam Priorities Reflect Continued Focus on Cybersecurity

Annually, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) publishes its examination priorities for the new year.  Recently, OCIE announced five priorities that will inform its examinations moving in to 2018.

OCIE is committed to “promoting compliance, preventing fraud, identifying and monitoring risk, and informing policy.” In support of these “pillars,” OCIE intends to focus on:

  1. Issues of importance to retail investors, such as fee disclosures, mutual funds, and exchange-traded funds;

  2. Entities that are critical to the proper functioning of capital markets, such as clearing agencies and national securities exchanges;

  3. Oversight of the Financial Industry Regulatory Authority (FINRA) and the Municipal Securities Rulemaking Board (MSRB);

  4. Cybersecurity; and

  5. Anti-money laundering programs.

The emphasis on cybersecurity is not new.  As early as 2014, OCIE highlighted its commitment to monitoring cybersecurity practices of regulated entities when it launched a series of examinations to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry.  In 2015 and 2017, the SEC released the results of its first two cybersecurity examination sweeps.  Prior examination priorities also included the SEC’s commitment to “examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls at broker-dealers and investment advisers.”

In this year’s announcement, OCIE noted that the scope and severity of risks related to data breaches and cyber attacks have increased and that such attacks can affect not only the targeted firms, but unsuspecting investors and market participants as well.  In evaluating firms’ cybersecurity programs and potential enforcement referrals, the agency intends to emphasize governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.

As noted in a recent post, cybersecurity continues to be a top priority for the SEC’s Division of Enforcement as well.  Indeed, in 2017 the Enforcement Division created a new specialized “Cyber Unit” dedicated to investigating violations related to cybersecurity intrusions and breakdowns.  And the SEC’s Chairman, Jay Clayton, has made clear in public remarks that he is personally focused on the issue.  Unfortunately, these public statements provide little specific guidance as to what cybersecurity measures will be deemed adequate.  Whether specifically subject to OCIE’s examination authority or not, however, organizations should be mindful that the SEC’s spotlight on cybersecurity is likely to intensify and approach their own risk assessments, budget, resources, and compliance priorities accordingly.   

© Copyright 2018 Squire Patton Boggs (US) LLP

TRENDING LEGAL ANALYSIS


About this Author

Coates Lear, Squire Patton Boggs Law Firm, Goverment Inquires Attorney
Principal

Coates Lear specializes in assisting companies and individuals involved in government inquiries and enforcement proceedings, especially investigations and actions by the US Securities and Exchange Commission (SEC). Coates also advises on compliance matters, with a focus on asset management, and represents clients in complex litigation.

303-894-6141
Partner

Tara Swaminatha is a member of the Data Privacy and Cybersecurity Practice. Tara has acted as outside cybersecurity counsel on some of the most significant data breaches in recent years and has defended clients against federal, state and international regulatory actions and related litigation.

202-457-6031
attorney

Elizabeth Weil Shaw assists clients primarily with government enforcement actions and inquiries, as well as internal investigations and compliance reviews. Liz has analyzed matters involving investigations by the US Securities and Exchange Commission, Department of Justice and State Attorneys General. She is a contributor to the firm's Anticorruption Blog.

303-830-6129