The SEC recently released a Risk Alert on cybersecurity produced by the Office of Compliance Inspections and Examinations (“OCIE”) this week. The Risk Alert details improvements and weaknesses observed during the National Examination Program staff’s examination of 75 broker-dealers, investment advisers and investment companies conducted between September 2015 and June 2016. Most advisers consider cybersecurity, privacy and identity theft as the hottest compliance topics.
The Risk Alert found that cybersecurity preparedness had increased since the SEC’s 2014 examinations but there were still areas where compliance and oversight could be improved. The SEC will continue conducting examinations in 2017 to focus on the implementation of cybersecurity measures. Cybersecurity was listed as a market-wide risk on the National Exam Program’s Examination Priorities for 2017.
Why do we follow this area? Hacking incidents are an embarrassment to corporations that put customer data, privacy and funds at risk. If corporations do not disclose them, they can contribute to potentially serious harm their customers. We expect that it will take whistleblowing in this area in the future to
A few of the issues of concern noted in the Risk Alert include:
- A significant number of advisers and investment funds did not maintain plans for data breach incidents and the notification of customers.
- Despite written policies to install software patches to address security vulnerabilities, a few firms had a significant number of uninstalled system patches that included critical security updates.
- Some examples were found of where high-risk findings from penetration tests or vulnerability scans were not fully remediated in a timely manner.
- Some of the broker-dealers did not memorialize their process for authorizing the transfer of funds to third-party accounts. Informal practices to verify customer identities before transferring funds are obviously a concern, since they present the risk that a third-party will successfully impersonate a customer and begin an unauthorized transfer.
- A majority of the firm’s information protection policies and procedures had issues, ranging from vague or general guidance to procedures that did not reflect the actual practices. These problems included contradictory instructions to employees, missed reviews of security protocols and customer protection efforts, as well as employees who did not take the required cybersecurity awareness training.
Cybersecurity is a big concern now for anyone in possession of customer data or money. If financial firms are routinely hacked, it will undermine the integrity and operation of the financial markets. Customers must be assured that their deposits are safe from hacking.
Although the failure to implement adequate cybersecurity protections is not an area where there have been substantial penalties issued yet, there have been a few SEC fines on the periphery (insider trading after hacking, market access rule following disruptions due to inadequate electronic trading safeguards). These fines seem likely to grow in the future as cybersecurity becomes a mainstream aspect of trading. As they do, whistleblowers will be an important ingredient of protecting the markets and customer funds.