From: JDSupra
On August 7, 2017 the Securities and Exchange Committee (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released yet another cybersecurity Risk Alert entitled, “Observations from Cybersecurity Examinations.” In this most recent Risk Alert, OCIE details its findings from its Cybersecurity 2 Initiative, which involved the examination of 75 firms, including broker-dealers, investment advisers, and investment companies between September 2015 and June 2016. Following its 2014 Cybersecurity 1 Initiative, the Cybersecurity 2 Initiative set out to assess industry practices and legal, regulatory and compliance issues associated with cybersecurity preparedness, focusing in greater depth on validation and testing of procedures and controls. As the Risk Alert sets forth a list of elements OCIE considers to be robust policies and procedures, it should be used as a check list for registrants in assessing the adequacy and effectiveness of their cybersecurity compliance program in light of their business risks.
The SEC has made cybersecurity a priority in recent years as more cyber-attacks threaten the industry. In addition to being named as a National Examination Program priority, cybersecurity has been a focus on the SEC’s outreach program. The SEC shared the results from its Cybersecurity 1 Initiative in its February 2015 Risk Alert entitled, “Cybersecurity Examination Sweep Summary.” In May of this year, OCIE put out a Risk Alert regarding the ransomware called “WannaCry” in which OCIE initially shared its observations from its Cybersecurity 2 Initiative to provide guidance to registrants for strengthening cybersecurity programs and protecting against the ransomware. Beyond its exam program and outreach, the SEC’s Enforcement Division has also been focusing on the matter by bringing cases against investment advisers and broker-dealers for cybersecurity-related violations. On all fronts the SEC is trying to get the message out that cybersecurity is one of the greatest risks facing the financial services industry and registrants must ensure their compliance programs address the risks posed by cyberattacks.
Leave a Reply