On January 11, 2016, the Securities and Exchange Commission announced the 2016 examination priorities list. For the third year in a row, cybersecurity is a top concern, especially with regard to internal security program assessment and evaluation. This year the Office of Compliance Inspections and Examinations (“OCIE”) will focus on cybersecurity protocols implemented by financial firms to protect consumer information from cyberattack. Investment advisors and broker dealers are forewarned that security is no longer an academic discussion and that OCIE examiners will ask hard questions regarding the effectiveness of protective procedures. In addition, the agency will expect verified proof that safeguards designed to secure personal and sensitive information adequately defend against cyber threats and vulnerabilities.
The 2016 priority list continues to expand the agency’s 2015 cybersecurity initiative which focused on the protection of consumer information collected, held and utilized by investment firms. This emphasis on data security is a direct result of the increased use of diverse technology by advisors and dealers in business transactions that require the exchange of highly sensitive financial information. In addition, high profile data breaches have shaken consumer confidence resulting in a demand for stricter standards for the protection of confidential data. As a result, funds and advisors are now required to test security systems and evaluate the effectiveness of internal practices.
As a practical matter, the 2016 priorities list highlights the importance of identifying risks, building a robust security framework, monitoring program effectiveness and establishing protocols to respond to cyberattacks. Periodic risk assessments, with documented benchmarks for success, are now an integral part of verifying compliance with SEC obligations. In addition, knowledge of the content, use and storage of sensitive consumer information is fundamental to good information governance and risk management. Last, ongoing investigations to determine internal and external cybersecurity threats and vulnerabilities are required to avoid noncompliance and ensure new information regarding cyberattacks is incorporated into existing security programs. Undoubtedly, the 2016 priority list requires written policies, procedures and training to ensure security measures are implemented, systematically followed and effective.
Investment advisors and brokers should expect OCIE examiners to request detailed security program assessments and evaluations throughout 2016. In 2017, we predict the SEC will continue to focus on cybersecurity and mandate financial firms exchange information regarding cyberattacks to maintain industry awareness of threats to consumer information.