SEC Warning: Small Firms Won't Get a 'Pass' on Cybersecurity
ARLINGTON, VA. -- Small advisor firms should not expect any exemption from the requirements for data security that the SEC is developing, a senior official said Friday.
Jane Jarcho, the national associate director of investment advisor and investment company exams at the SEC's Office of Compliance Inspections and Examinations, said that cybersecurity is an area of growing concern within the commission, and examiners increasingly will be expecting advisor firms of all sizes to have in place more robust policies and procedures to deal with the growing threats to their information systems.
"You don't get a pass if you're small, I don't think. You have to figure out the right preparedness for your firm," Jarcho said.
The SEC cited information security as an area of concern in its 2014 exam guidance, with the National Examination Program naming an evaluation of technology issues across all registered entities as one of the most significant initiatives it will undertake this year. Later this month, the SEC is scheduled to hold a roundtable discussion on the threats to digital systems and how market participants can respond to them.
Jarcho gave no timeframe for when the SEC might advance a formal proposal for cybersecurity requirements for advisors, but rather indicated that the commission is still in the early stages of evaluating the threat landscape, an effort that relies on an ongoing dialogue with members of the industry.
"We've been trying to devise an approach to look at cybersecurity," she said. "And I think it's important to understand that I think the approach we're going to roll out is we're going to try to assess the level cybersecurity preparedness at registrants and understand their recent experiences with certain types of cybersecurity threats."
OPTIONAL BEST PRACTICES
While cyber threats to the advisor space and the financial sector writ large are a top concern at the commission, Jarcho stressed that the SEC is not planning to adopt overly prescriptive regulations that would require firms to adopt specific technological defenses. Instead, officials are looking toward a risk-based approach that would permit advisors to tailor policies to the nature of their business and the vulnerabilities they face.
She said that the commission is looking closely at the cybersecurity framework that the Obama administration rolled out last month, a voluntary set of guidelines that private-sector firms in sectors of the economy designated as critical infrastructure -- including financial services -- are encouraged, but not required, to adopt. That template covers a broad range of what might be considered cybersecurity best practices, including threat identification and response, risk assessment and an emphasis on elevating digital defenses alongside other key business objectives.
"We're not intending to suggest to firms that they're required to follow any specific cybersecurity practices. That's not what we're trying to do," Jarcho said. "We're not saying there are absolute things that have to be done in any of these areas."