On June 2, 2016, the SEC announced the appointment of Christopher Hetner as Senior Advisor to the Chair for Cybersecurity Policy. Hetner, who was formerly the Cybersecurity Lead for the Technology Control Program within the SEC’s Office of Compliance Inspections and Examinations, will be responsible in this new post for coordinating efforts across the agency to address cybersecurity policy by providing advice directly to Chair Mary Jo White. Before joining the SEC, he led Ernst & Young’s Wealth and Asset Management Sector Cybersecurity practice and was the Chief Information Security Officer at GE Capital.
The appointment reflects the SEC’s increasing scrutiny of cybersecurity risks at brokerage and advisory firms and publicly held companies. This year, it issued new guidance and again identified cybersecurity as a high priority. The SEC stated that it would evaluate firms’ compliance with SEC’s Regulation SCI, which is meant to strengthen technology infrastructure in response to increased cybersecurity threats. Chair White has identified cybersecurity as the biggest risk facing the financial system, saying that “we can’t do enough” to review defenses against cyberattacks, particularly those targeting broker-dealers and investment advisors.
The SEC’s focus on cybersecurity issues is beginning to be reflected in the enforcement actions brought as well. Last year, the SEC brought fraud charges in various cases that implicated the Commission’s cybersecurity guidance. Earlier this month, the SEC announced that a major bank would pay a $1 million penalty to settle an administrative proceeding related to cybersecurity. The SEC found that the bank’s failure to adopt written policies and procedures to protect customer data enabled an employee to access and transfer customer data to a personal server, which was then hacked by third parties and the data offered for sale online. The order stated that, among other things, the bank violated Rule 30(a) of Regulation S-P, or the “Safeguards Rule,” by failing to have effective authorization modules in place to prevent employees from improperly accessing customer data. The employee was criminally convicted and paid restitution for his actions.