Categories: Financial Services

Businesses of all sizes and in virtually every industry face the daily threat of a data breach or other cybersecurity event, as well as the challenge of managing the potentially catastrophic economic and reputational harm that can flow from such an incident. Further complicating matters is that these threats can come from any number of sources: hackers, phishers, spammers, bot-network operators, spyware and malware authors, insiders, other nations, organized criminal groups, and terrorists. SEC regulations require registered financial institutions—including broker-dealers, investment companies, and investment advisers—to adopt written policies and procedures reasonably designed to ensure the security and confidentiality of customer information and records. In the last few years, the SEC has become increasingly vocal about cybersecurity compliance. For example, SEC Commissioner Luis A. Aguilar, in his speech entitled “Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus,” noted that “boards that choose to ignore, or minimize, the importance of cybersecurity responsibility do so at their own peril.” It should come as no surprise, then, that the SEC recently announced that cybersecurity compliance will be one its selected examination priorities in 2016. The inspection and examination priorities selected by the SEC “reflect certain practices and products that [the Office of Compliance Inspections and Examinations] perceives to present potentially heightened risk to investors and/or the integrity of the U.S. capital markets.” The recent announcement is a natural continuation of the SEC’s focus on cybersecurity in the financial services industry.

In April 2014, after holding a roundtable discussion with industry representatives, the SEC announced a series of examinations to identify and assess cybersecurity risks and preparedness in the securities industry. In February 2015, the Financial Industry Regulatory Authority (“FINRA”) released a “Report on Cybersecurity Practices.” As FINRA observed, the frequency and sophistication of cyber attacks are increasing, and it is imperative to have fundamental controls in place to manage risk and reduce the threat.

Subsequently, in September 2015, the SEC launched a second initiative to examine the cybersecurity compliance and controls in place at broker-dealers and investment advisory firms. The SEC expressed concern regarding public reports that had identified cybersecurity breaches related to weaknesses in basic data controls. As a result, this second initiative focused on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident responses.

Shortly thereafter, the SEC announced that a St. Louis-based investment adviser had agreed to settle charges that it failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information of approximately 100,000 individuals, including thousands of the firm’s clients. At the time, an SEC representative emphasized that “[a]s we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients . . . Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” Without admitting any wrongdoing, the firm agreed to cease and desist and pay a $75,000 fine.

In the recent statement, the SEC indicated that, to advance the efforts announced last September, the 2016 examinations will be looking at structural risks and trends that may involve multiple firms or entire industries. The examinations will include the testing and assessment of the implementation of procedures and controls at the target companies. Companies subject to the SEC’s jurisdiction are therefore well advised to make cybersecurity and data privacy a priority in their own compliance regimes.

A version of this article originally appeared in the Take 5 newsletter “Five Employment Law Compliance Topics of Interest to Financial Services Industry Employers.”

Back to Workforce Bulletin Blog

Search This Blog

Blog Editors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Workforce Bulletin posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.