Article by Samantha V. Ettari
After initially focusing on assessing financial firms' cybersecurity preparedness in order to identify weaknesses and guide them toward best practices, the Securities and Exchange Commission (SEC) has begun to shift its attention toward compliance and enforcement.
Cybersecurity was listed among the regulator's examination priorities in both 2016 and 2017, with the SEC noting an intent to "advance" efforts to test and assess "firms' implementation of [cybersecurity] procedures and controls." The regulator's sweep of covered entities in 2013-14 found 88% of the broker-dealers and 74% of investment advisers examined had already experienced a cyberattack. In May 2016, then-SEC chair Mary Jo White identified cybersecurity as the largest single threat facing the financial system and warned that some major exchanges, dark pools and clearinghouses did not have adequate cyber policies or procedures to manage the level or nature of risk they face.
As a result, fund managers and investment firms must know their obligations and ensure they are in compliance with the SEC's expectations. This should include establishing and regularly reviewing cybersecurity risk management controls, disclosure policies and practices, and employee training, which the SEC has addressed in previous guidance.
In addition, several SEC regulations govern firms' cybersecurity responsibilities. For example, Regulation S-P requires registered broker-dealers, investment companies and investment advisers to "adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information." The regulation requires that these policies and procedures be reasonably designed to:
- Ensure the security and confidentiality of customer records and information;
- Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
- Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
Regulation Systems Compliance and Integrity (Regulation SCI) covers entities such as self-regulatory organizations including stock and options exchanges, registered clearing agencies, FINRA and the MSRB, alternative trading systems trading NMS and non-NMS stocks exceeding specified volume thresholds, disseminators of consolidated market data, and certain other exempt clearing agencies. The regulation is designed to strengthen the U.S. securities market technology infrastructure in order to:
- Reduce the occurrence of systems issues;
- Improve resiliency when systems problems do occur; and
- Enhance the SEC's oversight and enforcement of securities market technology infrastructure.
Rule 13n-6 of the Securities Exchange Act requires every security-based swap data repository to establish, maintain and enforce written policies and procedures reasonably designed to ensure that its systems provide adequate levels of capacity, integrity, resiliency, availability and security. Similarly, Exchange Act Rule 15c3-5 – also known as the Market Access Rule – requires a broker or dealer with market access, or one that provides a customer with access to an exchange or alternative trading system, to "establish, document and maintain a system of risk management controls and supervisory procedures" reasonably designed to manage the financial, regulatory and other risks of this business activity.
These regulations demonstrate the common theme in the SEC's approach to cybersecurity, which is one that emphasizes protecting systems and infrastructure, preventing hacking attacks, privacy breaches and other cyber events through the creation and regular updating of adequate policies and procedures.
Since initiating its first cyber-related action against an investment adviser that failed to meet these requirements and exposed the information of 100,000 brokerage clients through a cyberattack, the SEC has increased its focus from only examining for cybersecurity shortcomings to bringing enforcement actions for noncompliance. In April 2016, the regulator's Enforcement Division announced it had already initiated several enforcement actions against firms that allegedly failed to protect client data pursuant to the Regulation S-P privacy rule – and warned there would be more to follow.
With the SEC's recently enhanced attention to covered entities' cybersecurity practices, fund managers and other investment firms should be doing the same to ensure their compliance with the regulator's cyber-related guidance and regulations. When it comes to addressing cyber threats, the SEC has emphasized the importance it places on prevention efforts. In the event of a cybersecurity breach, proper response and disclosure remain essential to maintain compliance.