SEC examiners zeroing in on cybersecurity
WASHINGTON -- Earlier this year the SEC put advisors on notice that examiners intend to take a close look at how firms are safeguarding sensitive information and guarding against threats to their digital systems.
The SEC has yet to produce or even propose any binding rules regarding cybersecurity, but officials have been sending strong signals that they expect firms of all sizes to put in place policies and procedures to protect sensitive information.
"Smaller advisors need to take note, because they are not immune," says Duane Thompson, policy senior analyst at the fiduciary training firm fi360. "I think we're still in a formative period, and the last thing advisors should do is just sit on their hands and wait for something to happen."
The SEC's Office of Compliance Inspections and Examinations identified information security as an area of concern in its 2014 exam guidance. Then in March, the commission convened a roundtable to hear from industry members about the threats they face and the defenses they have in place.
RIA, B-D REVIEW
The next month, OCIE announced an initiative through which officials would fan out in a sweep of exams focused on cybersecurity at both RIAs and broker-dealers. The SEC, which did not provide a comment for this story by press time, has yet to announce results of those reviews, but experts anticipate that the process could result in a regulatory advisory notice outlining best practices for firms and risky behavior to avoid, guidance that would figure prominently in routine practice exams.
In announcing that program, the SEC issued 28 sample questions that examiners might pose to firms when evaluating their cybersecurity practices, covering issues ranging from risk assessment to relations with third-party vendors. The commission noted that many of those questions followed along the issues covered in the cybersecurity framework that the Commerce Department issued in February. That framework was intended to serve as a template for businesses in sectors of the economy deemed critical infrastructure, including financial services, to improve their risk posture.
The Commerce Department's guidance is voluntary, however, and regulators and lawmakers have been hesitant to pursue top-down mandates in a fast-moving area like cybersecurity where the threats move far faster than policymaking. At the same time, amid the steady drumbeat of high-profile data breaches at companies like Target, eBay and JP Morgan, some observers aren't ruling out the idea that the SEC could move on some baseline regulations -- or at least produce clearer guidance -- for advisors and brokers.
"I think everyone expects that there's going to be some additional information issued by the SEC," says Michael Weissmann, a partner at the law firm Bingham McCutchen. "It's certainly a possibility that there will be a formal rulemaking;"
Thompson anticipates that the SEC could go a different route and bring an enforcement action against an advisor whose systems get hacked and client information is compromised. Even in the absence of a formal rule, Thompson says, the SEC can act under its existing statutory authority to bring action against an advisory firm that fails to safeguard its clients' data.
"A fiduciary duty -- and a duty of care in this instance -- is an underlying duty that is there no matter what the client agreement says or the regulation says," Thompson says. "It's sort of a catch-all duty."