SEC Signals Heightened Scrutiny of Cybersecurity Practices.

On January 7, 2020, the U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) announced its 2020 Examination Priorities that included cybersecurity practices. Soon after the publication of the OCIE Examination Priorities, on January 27, 2020, OCIE followed-up with a report entitled Cybersecurity and Resiliency Observations.  These two OCIE releases, along with prior SEC alerts and actions, provide strong indications that the SEC, in 2020, will be ramping up its focus on cybersecurity practices in the financial services industry. We expect increased examination and enforcement activities concerning cybersecurity practices, including vendor management and controls.

2020 Examination Priorities: Information Security

OCIE’s 2020 Examination Priorities include information security practices for investment advisers, broker dealers, municipal advisers, and other registered entities that fall within the scope of OCIE’s programs. As in previous years, OCIE is prioritizing information security practices in the industry to bolster investor and financial market confidence given the potential risk if massive data breaches were to occur. Information security examinations for 2020 will, therefore, include the following:

OCIE also encourages market participants to engage with regulators and law enforcement to identify and address security risks like cyber-related attacks.

OCIE Cybersecurity and Resiliency Observations

This OCIE report, issued within the same month as the OCIE Priorities, discussed industry practices to manage and combat cybersecurity risk and to maintain operational resiliency that OCIE has observed through “thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants…” Here’s our take:

Recommended action

Given the prominence of information security in OCIE’s 2020 Examination Priorities, registered firms should ensure that their policies and procedures appropriately account for risks to customer records and to IT systems in accordance with Regulation S-P Rule 30. With regard to broker-dealers specifically, FINRA will play an important part in this trend toward greater regulatory oversight. Indeed, FINRA expects all firms to implement policies and procedures related to cybersecurity, but expects that firms will approach these challenges in accordance with their scale and model.

Finally, in light of OCIE’s report on industry practices, registered firms also should review their current procedures and processes to determine whether they are equivalent to or reasonably meet the goals of the practices described in the Report, and whether further enhancements are appropriate or necessary.

Baker McKenzie – Bernard (Brian) L. Hengesbaugh, Harry Valetk, Amy J. Greer, Jennifer L. Klass, A. Valerie Mirko, Peter K.M. Chan and Jerome Tomas

February 4 2020

Copyright © 2020 Bond Case Briefs |