SEC: Prioritizing Cybersecurity

Cybersecurity is now a priority for many investment advisers to address. On June 14, SEC Chair Mary Jo White echoed that sentiment in her testimony before the U.S. Senate Committee on Banking, Housing, and Urban Affairs.

“Cybersecurity is – as I have said before – one of the greatest risks facing the financial services industry and will be for the foreseeable future,” Chair White said in her remarks. She went on to note that the SEC has taken a “proactive” approach that includes “examining and enforcing the rules we oversee that relate to cybersecurity.”

Reading between the lines, it appears that the SEC does not need a new Cybersecurity Rule to enforce requirements. Rather, the Commission appears willing and able to enforce existing regulations that already address cybersecurity – particularly Rule 30(a) of Regulation S-P, which requires registered investment advisers to adopt written policies and procedures reasonably designed to safeguard customer records and information.

Regulation S-P violations have paved the way for the SEC to bring two cybersecurity enforcement actions against investment advisers within the last nine months – first, against RT Jones in September 2015 and more recently against Morgan Stanley Smith Barney in June 2016.

SEC’s 2016 Efforts on Cybersecurity Exams

Chair White stated that the SEC is focusing on “ensuring that our registered entities have policies and procedures to address the risks posed to their systems and data by cyberattacks,” explaining that the agency has expanded its cybersecurity examinations to include testing of firms’ implementation of procedures and controls.

The SEC is currently examining these issues at firms in 2016, and recently announced the promotion of Christopher Hetner to the role of Senior Advisor to the Chair for Cybersecurity Policy. Mr. Hetner, a former chief information security officer at GE Capital, is the Cybersecurity Lead for the SEC’s Office of Compliance Inspections and Examinations (OCIE) Technology Controls Program.

Chair White’s full testimony is available by clicking here.

Latest Content

Schedule 13D/13F Clarity on ETF Issues

Do I need to file a 13D or 13G if my client accounts hold in excess of 5% of an ETF? Generally, no. The SEC has granted no-action relief to ETFs with respect to compliance with Section 13(d) of the Securities Exchange Act. Section 13(d) was designed to require disclosure when holders begin to accumulate … Continued

New Remedy Coming for SEC’s Custody Rule?

The SEC’s Custody Rule continues to be a common source of confusion and a landmine for noncompliance. Custodial paperwork has caused huge headaches for investment advisers, who are not a party to the agreement and may not even have a copy of the custodial new account paperwork. The issue with existing guidance is that it … Continued

SEC Issues MiFID II No-Action Relief

Some industry anxiety was assuaged on October 26 with three no-action letters that offer relief for some US regulated broker-dealers and investment advisers regarding European MiFID II regulations. The letters followed consultation with the European authorities, and are designed to address concerns that investors could lose access to valuable research. MiFID II is a series of regulations … Continued

Regulatory Changes Impacting RICs and Service Providers

A year ago, the SEC adopted Investment Company Reporting Modernization Rules and Forms, as well as rules pertaining to liquidity risk management programs and swing pricing. New forms N-Port and N-Cen along with amendments to Regulation S-X significantly change the current reporting regime for most registered investment companies (RICs) because they require more comprehensive disclosure and … Continued

Publicly Available Information Heightens Need for Cybersecurity Vigilance

For any business, “ports” that allow for communication generally need to be open (for example, ports 80 and 443 for websites, and port 500 for VPN access). While most of these ports allow you to engage in critical functions, there are often ports that remain open despite being unneeded or unused. These available ports present … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.