It may be a new decade, but the focus of the Securities and Exchange Commission (SEC) on cybersecurity has not shifted. In particular, the SEC noted in its 2020 Examination Priorities that the Office of Compliance Inspections and Examinations (OCIE) “will continue to prioritize cyber and information security risks across the entire examination program.” This pronouncement and other recent regulatory guidance underscore the risk of potentially far-reaching harm that breaches and security incidents pose to market participants and retail investors. Building on its earlier guidance (previously covered here), OCIE emphasized a cooperative approach to help firms identify and address these risks, bolster compliance programs to protect against them, and encourage engagement with regulators and law enforcement.
OCIE also indicated that SEC exam staff will continue to focus on investment advisers’ policies, procedures and controls with respect to:
- Governance and risk management
- Access controls
- Data loss prevention
- Vendor management
- Incident response and resiliency
To help firms address these areas, OCIE referenced its Risk Alerts on configuring network storage and safeguarding customer information (previously covered here). Among other things, these alerts urged firms to:
- Properly configure network storage solutions
- Adequately monitor vendors
- Accurately classify data and inventory systems
- Timely provide privacy and opt-out notices
- Avoid boilerplate programs by conducting risk assessments and tailoring policies, procedures and controls
- Prepare incident response plans and train employees
- Address common risks posed by personal devices, electronic communications, networks and outside vendors
Notably, OCIE announced in its 2020 Examination Priorities that it plans to scrutinize access controls for online accounts and mobile applications as well as proper disposal of retired hardware that may contain sensitive customer or network information.
Given the SEC’s continued focus here, firms of all stripes – including broker-dealers, investment companies, investment advisers and private funds – should be prepared for OCIE to closely examine their written information security programs, internal controls, and compliance with Regulation S-P and Regulation S-ID. After all, it’s 2020 and the risks remain.