SEC’s 2016 Examination Priorities Include Continuing Focus on Cybersecurity Controls
The Securities and Exchange Commission last week issued a press release outlining the agency’s 2016 Examination Priorities that included cybersecurity. The release states:
“To help fulfill the SEC’s mission of maintaining fair, orderly, and efficient markets, OCIE will continue its focus on cybersecurity controls at broker-dealers and investment advisers.”
This announcement comes in the wake of the SEC’s 2015 order censuring an investment adviser and imposing a $75,000 fine for cybersecurity control gaps. Among these gaps were a lack of: (a) written policies and procedures designed to safeguard client data; (b) periodic risk assessments; and (c) a breach response plan. This 2015 order followed a data breach suffered by the investment advisor, and the SEC’s post-breach examination.
Thus, the SEC may uncover lax or missing cybersecurity controls either through a formal examination or by investigating after a data breach has occurred. Whistleblowers such as disgruntled former employees also present a threat.
While cybersecurity is an ongoing challenge, putting basic cybersecurity controls in place is not an overwhelming task.