On September 15, 2015, the U.S. Securities and Exchange Commission (“SEC”) announced a second round of examinations into the security industry’s cybersecurity policies in its continued focus on the securities industry’s ability to protect the integrity of the market system and customer data from cyberattack. This examination follows the SEC’s February 2015 preliminary investigation, conducted by the Commission’s Office of Compliance Inspections and Examinations (“OCIE”), which found that a majority of broker-dealers (nine in ten polled) and advisors (just under 75% of those polled) experienced cyberattacks, despite a majority having written policies to prevent and respond to cybersecurity issues in place.
In light of the apparent inadequacy of the polled firms’ existing policies to handle cybersecurity issues, the aims of this second round of examinations is to (1) to assess the implementation and efficacy of the firm’s cybersecurity policies, (2) to encourage better compliance practices, and (3) to further the SEC’s understanding of cybersecurity preparedness.
As part of the September 15 announcement, the OCIE issued a risk alert that outlines the factors on which examiners will focus in the second round, namely the firms’ risk assessment and cybersecurity governance procedures, the level of communication with the board of directors and senior management, the efficacy of safeguards to control access to their systems, the management and control of content transferred outside of their systems, due diligence with regard to interaction with outside vendors, and the training of employees/vendors on cybersecurity measures. The SEC has stated that vendor monitoring and oversight (the cause of the catastrophic December 2013 Target Corp. data breach) and risk assessment, and periodic evaluation thereof, will be of particular concern.
This second round of examinations into broker-dealers and advisor’s cybersecurity is likely a harbinger of the SEC’s more strenuous expectations with regard to adequate cybersecurity and its more aggressive enforcement stance toward lax cybersecurity.
The SEC’s focus on the cybersecurity of the securities industry began in March 2014, when the SEC’s Cybersecurity Roundtable underscored the growing frequency and severity of cyberattacks that jeopardized the integrity of the market system and customer data. The SEC’s interest in cybersecurity goes even farther back to at least 2011, when its Office of Corporation Finance issued guidance that public companies needed to include disclosures of material cybersecurity risks and incidents in their SEC filings. While the SEC has yet to take an enforcement action against a company or market participant because of cybersecurity failures, it is clear by the SEC’s continued guidance on the topic, as well as statements by its enforcement staff, that cybersecurity is high on the SEC enforcement division’s radar.