Recently, the SEC announced that it will be examining more than 50 registered investment advisers’ and broker dealers’ cybersecurity programs and procedures. The recent interest in cybersecurity is the result of the SEC’s fear that cybersecurity breaches put both clients and the financial system as a whole at risk. In order to carry out this examination, the SEC released a detailed risk alert, which details the 28 specific requests the SEC is sending to registered investment advisers and broker dealers. Generally, the requests concern companies’ cybersecurity governance, ability to protect their networks and client information, ability to assess risks associated with remote client access, and use of vendors and third parties.
Even if a company is not subject to an OCIE cybersecurity examination, every registered entity should familiarize itself with the risk report, since it is essentially a blueprint for complying with the SEC’s imminent cybersecurity crackdown. At a minimum, companies should create a team made up of information technology professionals, human resource and compliance personnel and outside counsel to assess how the company stacks up against the SEC’s 28 requests. Even if a company does not have policies or procedures in place to address a specific request, the company should consider either implementing a procedure or drafting an explanation for why it would be unnecessary to do so. Carrying out this process can help companies build better protections and safeguards for their most important asset: sensitive client information.
While the SEC says its goal in gathering this information is to familiarize itself with the current state of cybersecurity, companies should expect the SEC to release “best practices” or new regulations following this initial review. It is important to keep in mind that the SEC’s cybersecurity examination is not occurring in a vacuum; companies should also consider their compliance with other applicable regulations, such as the SEC’s Regulation S-P and S-ID.
It should be noted that the SEC’s expansion into cybersecurity issues is consistent with its ruling in Netflix several months ago and the newly approved FTC expansion into consent decrees against companies. See FTC v. Wyndham Worldwide Corp., et al., 2:13 CV 01887-ES-JAD, (April 8, 2014) (“Wyndham”). Here, the Court denied Wyndham’s motion to dismiss the FTC’s complaint against it for violating Section 5 of the Federal Trade Commission Act (the “FTCA”) for alleged unfair and deceptive trade practices “in connection with [Wyndham’s] failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information.”
The SEC’s March 26 cybersecurity roundtable can be found here.