SEC Urges "Robust" Cybersecurity Best Practices

As cyber-attacks continue to threaten the financial industry, the SEC has made cybersecurity an urgent priority. On August 7, the SEC's Office of Compliance Inspections and Examination (OCIE) released a new cybersecurity Risk Alert. This Risk Alert provides valuable insights into entities about effective cybersecurity practices. Entities and their personnel are well-advised to refresh their cybersecurity policies, practices, and training in light of the matters flagged in this Risk Alert.

The Risk Alert describes findings from OCIE's second cybersecurity survey of 75 regulated entities (registered broker-dealers, investment advisers, and investment companies), based on examinations conducted between September 2015 and June 2016. OCIE's first survey was conducted in 2014, and published in 2015. Underscoring the SEC's keen focus on cybersecurity concerns, this is the SEC's fifth release focused on cybersecurity since 2014.

OCIE's Risk Alert contains a mixed progress report on firms' cybersecurity practices, as well as some important best practices for "robust" cybersecurity.

Good News / Bad News Progress Report

The recent survey includes some good news, as well as highlights areas for improvement for firms. Overall, OCIE found significant improvements in cybersecurity preparedness since its first initiative. Yet in certain key areas, OCIE's recent survey revealed a mixed bag:

Best practices

In the Risk Alert, OCIE also identifies certain hallmarks of "robust" cybersecurity policies and procedures. Although not a comprehensive list, OCIE recommended that firms use these best practices as a check list when assessing the adequacy and effectiveness of their own cybersecurity compliance programs. OCIE suggested that firms:

OCIE noted that it "will continue to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls." Senior SEC officials have warned that cybersecurity remains a priority for the Division of Enforcement as well. In other words, failing to proactively address cybersecurity concerns could lead to exam deficiencies, or worse – attracting the attention of the SEC's Division of Enforcement.

States Are Proactive Too

Firms also should be aware of the recent emergence of comprehensive state cybersecurity compliance requirements. Colorado, for example, recently implemented new rules requiring firms to adopt specific cybersecurity protocols, including conducting annual assessments and using secure email. (See our prior alerts here and here.) And New York enacted specific rules for financial institutions as well. (See our prior alert here.) Other states may well follow. Even if not technically applicable, firms may want to use their local state's requirements as a guide of potentially reasonable procedures.

Unfortunately, cybersecurity risks for regulated entities are not disappearing anytime soon. Thus cybersecurity-related regulatory mandates likely will only increase going forward. To minimize regulatory risks, as well as the significant adverse business and reputational impacts risks that an actual cyber incident might cause, firms and their personnel should proactively and promptly address potential cybersecurity concerns.

Copyright Holland & Hart LLP 1995-2024.
National Law Review, Volumess VII, Number 234