At a Compliance Outreach Program hosted by the SEC in January 2014, senior SEC staff members discussed the SEC’s increased focus on cyber security matters. David Grim, Deputy Director of the SEC’s Division of Investment Management, told program attendees that cyber security is one of the top areas of concern communicated to him from industry participants. Jane Jarcho, National Associate Director of the Investment Adviser/Investment Company examination program in the Office of Compliance Inspections and Examinations, noted that the SEC is ramping up its examiners’ focus on cyber security, with a planned 2014 review of the policies that asset managers have in place to prevent, detect and respond to cyber attacks. In exams to be conducted this year, Ms. Jarcho said that examiners will review what resources firms and advisers are dedicating toward information security and the strength of policies in place to ensure regular assessment of cyber security risks. Ms. Jarcho added that examiners also will review policies designed to detect and respond to cyber attacks, deal with identity theft, and monitor vendors’ cyber security policies, as well as business continuity plans after attacks, IT training policies and in-house and third-party access to information. Ms. Jarcho also indicated that SEC examiners are planning to confirm that asset managers are reporting “material” cyber events to regulators.
In addition, the SEC recently announced that it will host a roundtable on March 26, 2014 at the SEC’s headquarters in Washington, DC to discuss cyber security, the issues and challenges it raises for market participants and public companies, and how those concerns are being addressed. In a speech at the annual SEC Speaks conference in February 2014, SEC Commissioner Luis Aguilar mentioned that he had recommended the convening of this roundtable because the observed increase in cyber security threats on businesses strongly suggests that the SEC needs to develop a better understanding of the related issues facing both market participants and issuers. With regard to transfer agents specifically, Commissioner Aguilar expressed concern that a cyber attack could result in the misappropriation of confidential shareholder information, the “hijacking” of public company shells and microcaps, or outright theft. He also suggested that the pending Regulation SCI, which covers tech security requirements for self- regulatory organizations, might be expanded to include transfer agents.