On January 27, 2020, OCIE issued a report detailing cybersecurity and resiliency observations the staff made after "thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges, and other SEC registrants." The report offers a snapshot of current market practices in seven key areas:

2020 may very well be the most impactful year for data privacy and cybersecurity in the United States. In honor of Data Privacy Day, we discuss some of the reasons why that may be the case. In short, as privacy and cybersecurity risks continue to emerge for organizations large and small, the law is beginning to catch up which is prompting a significant uptick in compliance efforts.

Finra is reviewing technology controls and cybersecurity programs of broker-dealer firms but is taking on a consultative approach, according to executives at the self-regulator.

In this post, we analyze the highlights in and our takeaways from the 2020 Priorities.

“OCIE’s 2020 examination priorities identify key areas of risk, both existing and emerging, that we expect self-regulatory organizations (SROs), clearing firms, investment advisers and other market participants to identify and mitigate,” SEC Chairman Jay Clayton says in a statement.

In the first half of 2019, data breaches increased by 54% compared to the first six months of 2018, according to a study by Risk Based Security. The amount of data breaches in the headlines has only increased in recent months, and as we look ahead to 2020, I expect to see more of the same.

The question is, are hackers really getting that much better at cyberattacks, or is it that organizations still aren't taking the steps needed to reduce their risk and exposure to the threats they are facing? I think it's a mixture of both. But certainly, the fact that three out of four organizations aren't providing basic cybersecurity training to their employees, according to a survey my company did with Censuswide, isn't helping things. The easier people make it for cyberattackers to exploit weak cyberpractices, the more we're going to see hackers take the easiest way into an enterprise.

Financial advisers don't want to talk about cybersecurity.

Firm Operations:

The 2019 Report focuses on cybersecurity, business continuity plans (BCPs) and fixed income mark-up disclosure. Noteworthy examination findings and observations include:

At a recent cybersecurity conference in New York City, there was a sterling panel of attorneys and executives from almost every branch of the federal and New York state governments who somehow touch upon the topic of cybersecurity. This included representatives from the Securities and Exchange Commission (SEC), the Federal Bureau of Investigation, the U.S. Attorney’s office for the Southern District of New York, the Federal Trade Commission, and the New York State Department of Financial Services (NYDFS). Rarely do you see every one of these agencies and departments on the same panel, let alone in the same room.