Legal Insight: SEC Continues to List Cybersecurity Among OCIE Examination Priorities

The SEC Office of Compliance Inspections and Examinations (OCIE) has announced its 2018 examination priorities. Unsurprisingly, cybersecurity remains among the key priorities. OCIE has included cybersecurity as an examination topic since at least 2014.

OCIE released its 2018 priorities to “improve compliance, prevent fraud, monitor risk, and inform policy.” OCIE conducts the SEC’s National Exam Program (NEP), whose mission is to protect investors, ensure market integrity and support responsible capital formation through risk-focused strategies that: (1) improve compliance; (2) prevent fraud; (3) monitor risk; and (4) inform policy. The results of the NEP’s examinations are used by the SEC to inform rulemaking initiatives, identify and monitor risks, improve industry practices and pursue misconduct. OCIE is responsible for conducting examinations of broker-dealers, investment advisers, transfer agents, and other SEC-regulated entities.

OCIE developed these priorities based on feedback from financial professionals, market participants, and attorneys regarding compliance challenges, recent trends, and high risk areas. SEC Chairman Jay Clayton noted that this year the priorities were directed at “asset verification, market infrastructure, and duties owed to retail investors.” OCIE Director Pete Driscoll reiterated those sentiments, stating that the risk-based strategy this year prioritized “the interests of retail investors and examined the aspects of securities firms that pose risks to investors and the functioning of the capital markets.”

Cybersecurity has increasingly become an important part of OCIE’s focus. In June 2017, the SEC issued an alert in the wake of the WannaCry ransomware attack. The alert details observations from examinations conducted in connection with OCIE’s Cybersecurity 2 Initiative, during which OCIE examined 75 businesses, including investment companies, investment advisers, and broker-dealers.

The staff noted that while all broker-dealers and nearly all investment advisors maintained written policies and procedures addressing cyber protections for customer records, many of these policies were too general and were not reasonably tailored to the firm’s business model. Some policies and procedures did not reflect actual practice at the firm, causing non-compliance with internal protocols. Many firms did not conduct adequate system maintenance, such as the installation of software patches to address vulnerabilities and operational safeguards to protect customer records and information. Finally, it appeared that many firms did not fully remediate risk discovered from penetration tests and vulnerability scans. The key takeaway was that firms were doing a better job of ‘saying the right things,’ but not actually doing them in a way that enhanced cybersecurity.

OCIE identified “the following elements as they could be useful in the implementation of cybersecurity-related policies and procedures:”

• Maintenance of an inventory of data, information, and vendors, including classifications of the risks, vulnerabilities, data, business consequences, and information regarding each service provider and vendor, if applicable
• Detailed cybersecurity-related instructions relating to penetration tests, security monitoring and system auditing, access rights, and cyber incident reporting
• Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities, including vulnerability scans and patch management
• Established and enforced controls to access data and systems, including “acceptable use” policies, mobile device management, log auditing of key vendors, same-day termination of access for separated employees.

Given this alert and the Cybersecurity Initiatives leading up to the examinations, it is not surprising that OCIE has continued to identify cybersecurity as an examination priority. In particular, OCIE is concerned about the increase in scope and severity of cybersecurity risks and the effect not only on the targeted firm, but also on market participants and retail investors who are not well informed of these risks. The examinations will continue to focus on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response. This focus is consistent with that of other regulators examining cybersecurity issues in the financial services and other industries.

In addition to cybersecurity, other 2018 examination priorities include anti-money laundering programs and firms that provide products and services directly to seniors and those saving for retirement.

According to the AML program rules, some securities firms are required to establish anti-money laundering programs that identify their customers, perform customer due diligence, and monitor accounts for suspicious activity.  These firms are required to file Suspicious Activity Reports (SARs) with the Financial Crimes Enforcement Network (FinCEN) when suspicious activity is noted.  You can learn more about OCIE’s focus on anti-money laundering programs (and anti-money laundering issues in general) by visiting our sister blog: Money Laundering Watch.

In recent years, we’ve witnessed a growing convergence between cybersecurity and AML. In October 2016, for instance, FinCEN issued a cyber threat advisory and FAQs discussing the use of SARs to report cyber threat activity.  Noting that “the proliferation of cyber-events and cyber-enabled crime represents a significant threat to consumers and the U.S. financial system,” FinCEN’s guidance was aimed at assisting “financial institutions in understanding their Bank Secrecy Act (BSA) obligations regarding cyber-events and cyber-enabled crime.” FinCEN’s advisory also explained “how BSA reporting helps U.S. authorities combat cyber-events and cyber-enabled crime.”

In addition to focusing on cybersecurity and AML as separate priorities, we expect that OCIE and other financial services regulators will analyze the overlap between these interrelated programs.

As to firms offering products to seniors and retirement savers, OCIE stated that it will focus on higher risk products as well as technological changes in how services are directly delivered, including:

• Disclosure of Costs of Investing
• Electronic Investment Advice
• Wrap Fee Programs
• Never-Before-Examined Investment Advisors
• Senior Investors and Retirement Accounts/Products
• Mutual Funds and Exchange Traded Funds (ETFs)
• Municipal Advisors and Underwriters
• Fixed Income Order Execution
• Cryptocurrency, Initial Coin Offerings (ICOs), Secondary Market Trading and Blockchain