On January 12, 2017, the Securities and Exchange Commission (SEC) announced this year’s priorities and areas of focus of its Office of Compliance Inspections and Examinations (OCIE). The OCIE conducts the SEC’s National Examination Program and promotes compliance with federal securities laws.
The SEC’s pronouncement can be found at: https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2017.pdf.
It is no surprise that cybersecurity risks will continue to be one of the OCIE’s primary areas of focus in 2017. Not only has departing SEC Chair Mary Jo White been quoted as saying that “Cyber attacks are a constant threat to our markets,” but cybersecurity risks have been a top priority of the OCIE since the SEC hosted a roundtable in March 2014 to discuss cybersecurity and the concerns it raises for public companies. To date, OCIE examinations have evaluated and assessed whether investment advisers and broker-dealers have implemented appropriate cybersecurity controls and procedures. In continuing this initiative, the SEC will likely continue to enforce the Safeguards Rule in Regulation S-P, which requires broker-dealers and investment advisers to implement written policies and procedures to safeguard customer information.
In recent years, the SEC has settled several enforcement actions relating to inadequate cybersecurity protections and policies. For example, in 2016, Morgan Stanley Smith Barney LLC settled charges relating to its failure to safeguard customer information and ended up paying a $1 million penalty. In addition, after approximately 100,000 individuals’ personal information was compromised, R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, paid a $75,000 penalty and agreed to be censured in order to settle charges that it failed to adopt appropriate cybersecurity policies and procedures.
Registered broker-dealers, investment companies, and investment advisers should heed the SEC’s warning and implement appropriate cybersecurity procedures and controls. It is clear that the SEC and the OCIE are continuing to take cybersecurity risks very seriously.