After initially focusing on assessing financial firms' cybersecurity preparedness in order to identify weaknesses and guide them toward best practices, the Securities and Exchange Commission (SEC) has begun to shift its attention toward compliance and enforcement.
Cybersecurity was listed among the regulator's examination priorities in both 2016 and 2017, with the SEC noting an intent to "advance" efforts to test and assess "firms' implementation of [cybersecurity] procedures and controls." The regulator's sweep of covered entities in 2013-14 found 88% of the broker-dealers and 74% of investment advisers examined had already experienced a cyberattack. In May 2016, then-SEC chair Mary Jo White identified cybersecurity as the largest single threat facing the financial system and warned that some major exchanges, dark pools and clearinghouses did not have adequate cyber policies or procedures to manage the level or nature of risk they face.
As a result, fund managers and investment firms must know their obligations and ensure they are in compliance with the SEC's expectations. This should include establishing and regularly reviewing cybersecurity risk management controls, disclosure policies and practices, and employee training, which the SEC has addressed in previous guidance. MORE