Over the past several years, the SEC has indicated that cybersecurity policies and procedures would be an area of focus during examinations. Click here for additional information about the SEC’s focus, including past guidance on cybersecurity. In an ironic twist, internal cybersecurity is now also a higher priority for the SEC itself.
In May 2017, recently appointed SEC Chairman Jay Clayton initiated an “assessment of [the SEC’s] internal cybersecurity risk profile and [its] approach to cybersecurity from a regulatory and oversight perspective.” The SEC’s self-assessment addresses many of the considerations also faced by regulated entities, from understanding the nature of data being collected and stored to identification and mitigation of cybersecurity risks. In addition, the SEC’s assessment will examine how the SEC uses its oversight and enforcement authorities in the cybersecurity context.
This internal assessment comes at a significant time for the SEC, following a 2016 breach of the EDGAR filing system and ahead of the planned launch of the Consolidated Audit Trail (“CAT”) slated for November 2017. CAT aims to improvemonitoring through the use of “a comprehensive set of trading data,” by creating a centralized database to maintain records across the various stages of an order for NMS securities, including customer and related information collected from broker-dealers. The increased volume of non-public trading data and customer information will lead to an increased need to protect such data from misuse. Between the information submitted to EDGAR prior to being made publicly available and the additional data collected by CAT, potential cybersecurity intrusions pose myriad risks to issuers and investors, including the potential for hackers to trade on non-public information.
In conjunction with its increased cybersecurity self-evaluation, the SEC will continue to examine the cybersecurity procedures and controls of regulated entities, such as investment advisers, to ensure that client data is protected and, in the event of a data breach, mitigation efforts are adequate. In September 2017, the SEC’s Division of Enforcement created a new Cyber Unit to “focus the Enforcement Division’s substantial cyber-related expertise on targeting cyber-related misconduct.” According to the SEC, examples of the misconduct to be targeted by the Cyber Unit include market manipulation schemes, violations involving distributed ledger technology and initial coin offerings, and cyber-related threats to trading platforms and other critical market infrastructure.
The SEC has made cybersecurity compliance assessments one of its exam priorities for 2017 and prior years, and the creation of the Cyber Unit and launch of CAT suggest that regulated entities such as broker-dealers and investment advisers should prepare for cybersecurity to remain a priority for the foreseeable future.