The Securities and Exchange Commission last week issued a press release outlining the agency’s 2016 Examination Priorities that included cybersecurity. The release states:
"To help fulfill the SEC’s mission of maintaining fair, orderly, and efficient markets, OCIE will continue its focus on cybersecurity controls at broker-dealers and investment advisers."
This announcement comes in the wake of the SEC’s 2015 order censuring an investment adviser and imposing a $75,000 fine for cybersecurity control gaps. Among these gaps were a lack of: (a) written policies and procedures designed to safeguard client data; (b) periodic risk assessments; and (c) a breach response plan. This 2015 order followed a data breach suffered by the investment advisor, and the SEC’s post-breach examination.
Thus, the SEC may uncover lax or missing cybersecurity controls either through a formal examination or by investigating after a data breach has occurred. Whistleblowers such as disgruntled former employees also present a threat.
While cybersecurity is an ongoing challenge, putting basic cybersecurity controls in place is not an overwhelming task. Armstrong Teasdale has successfully assisted investment adviser clients with risk assessment, cybersecurity policy, and incident response planning. These projects can be done on a fixed-fee basis, providing clarity as to costs and timeframes.