(5 min read)
The SEC’s Office of Compliance Inspections and Examinations (OCIE) published its 2019 Examination Priorities in late 2018.
Threats from cybersecurity continue to alarm and frustrate businesses worldwide, with financial services being the industry with the greatest loss from fraud and cyber attacks.
In an effort to provide guidance to the industry, the SEC is increasing resources for cybersecurity monitoring, training, and awareness — including adding cybersecurity to their examination priorities.
Here are oft-repeated areas of focus:
During his speech at the SIFMA Operations Conference in May 2019, OCIE Director Peter Driscoll stated that establishing procedures to secure mobile devices, servers, hard drivers, and laptops — even once deactivated and removed from service — is paramount.
Transparency and Reporting
Transparency in reporting is more important than ever. The SEC has issued severe enforcement actions against several companies that mishandled the reporting and disclosure of data breaches.
Expectations are changing, but at minimum, your security program should address specific cyber threats that are based on systems-wide assessments (like the CAT, discussed below). Incident response plans should include tiered responses based on the severity of the breach.
These incident response plans are expected to be regularly updated.
Even though compliance with Regulation S-P came into effect in 2001, OCIE exam teams have observed that some firms’ policies and procedures still do not 1) adequately cover standard security features such as encryption and password protection, 2) do not do enough to protect against unauthorized access, and 3) do not sufficiently address requirements for implementing secure configurations, especially in cloud storage.
A Risk Alert issued by the SEC in April 2019 goes into further detail about compliance issues associated with Regulation S-P.
Continued Focus on Never-Before-Examined Advisors
In addition to investment firms with multiple branch offices, the SEC is continuing previous efforts for a regulatory examination of registered financial and investment advisors and firms that are newly licensed, and have never before been through a regulatory examination.
The focus will be on agents and firms that are three years old and younger, and have not been assessed.
These examinations will be conducted, as others, by OCIE. Their stated focus will be on issues that directly impact investors, and include management of client assets, portfolio management, compliance programs, filings and disclosures, and other priority issues, including cybersecurity.
Industry-wide chinks in the armor
Cybersecurity experts describe several areas of particular concern:
- Networking or global connections
- Network data storage, which is also global
- Internal threats
- End-user devices as entry into networks, such as personal computers
- Risks inherent in third-party vendors and contractors.
All of these areas of critical market infrastructure represent an even stronger need for continuous monitoring, risk assessment, and process improvement.
Stay on Top of Changing Cybersecurity Regulation
Earlier this week, the SEC announced Kevin Zerrusen as Senior Advisor to the Chairman for Cybersecurity Policy. A 30-year veteran of the CIA where he was responsible for running the agency’s cyber center, Zerrusen will “coordinate efforts across the agency to address cybersecurity policy, engage with external stakeholders, and help enhance the SEC’s mechanisms for assessing cyber-related risks.”
As the SEC and other regulators continue to take a strong role in cybersecurity, we can expect regulations to keep changing in order to keep pace with evolving cyber threats.
Are You a CAT Person?
The Cybersecurity Awareness Tool, or CAT, was developed by the FFIEC (Federal Financial Institutions Examination Council). This tool is a top-down assessment program that is designed to be used sequentially, with areas of risk identified and corrected before the next round of assessments. It assesses overall cybersecurity preparedness and also identifies specific risks within and without, as well as issues such as proper governance and accountability.
While there is no obligation or requirement to use the CAT to assess cybersecurity preparedness, the SEC is going to use the CAT questions and format as part of the examination process.
Rise Above with Ascent
Ascent uses market-leading AI to pinpoint the cyber regulations that your firm is expected to comply with, saving Risk and Compliance hundreds if not thousands of hours in manually researching and analyzing regulation. By offloading these tedious and highly manual tasks to Ascent, our customers are able to spend their valuable time and effort on the critically human work of developing and implementing compliance policy across the business.
LEARN MORE: How Ascent Works