Investigators at the U.S. Securities and Exchange Commission are on the lookout for violations such as poor risk controls or lax disclosures relating to hacking and other cyber breaches, David Glockner, director of the SEC’s Chicago Regional Office, said at the 2015 SEC Speaks Conference in Washington, D.C. last month.  “Cybersecurity . . . is an area where we have not brought a significant number of cases yet, but is high on our radar screen,” Mr. Glockner noted during his remarks.  “Cybersecurity threats know no boundaries.  That’s why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats has been and will continue to be an important focus of the SEC,” said SEC Chair Mary Jo White.

U.S. policymakers have been paying close attention to cybersecurity over the past few years in the wake of high-profile attacks against public companies like Target, Home Depot and JPMorgan Chase.  In 2011, the SEC issued informal guidance for public companies on whether to disclose cyberattacks and their impact on a company’s financial condition.  Though some have said the SEC should do more on this front, SEC Chair Mary Jo White has said the informal guidance appears to be working well.  For now, the informal guidance is all that public companies have to rely on from the SEC regarding appropriate disclosures on cybersecurity risks; however, public companies can and should observe the SEC’s focus on the protection of customer information held by investment advisers and broker-dealers to get a sense for the SEC’s view on cybersecurity preparedness and associated risks.

On February 3, 2015, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert summarizing findings of its examinations of over 100 registered investment advisers and broker-dealers.  Here’s a summary of OCIE’s key findings:

  • Nearly 80% of investment advisers conduct periodic firm-wide risk assessments.
  • Over 70% of investment advisers have experienced cyber-related attacks.
  • The majority of investment advisers conduct firm-wide inventorying, cataloguing or mapping of their technology.
  • Less than a quarter of the investment advisers incorporate cybersecurity requirements into their contracts with vendors and business partners.
  • In contrast to the broker-dealers examined, only a third of the investment advisers designate a Chief Information Security Officer.  Instead, investment advisers typically designate the responsibility to their Chief Technology Officer or assign other senior officers to liaise with a third-party consultant.

OCIE is conducting further studies of cybersecurity preparedness among registered firms and has identified cybersecurity as one of its examination priorities for 2015.  According to Mr. Glockner, the two areas of emphasis are (1) the cybersecurity controls that companies have in place to protect market integrity and (2) the adequacy of public disclosures regarding material cyber events.