SEC Warns More Cyber Enforcement Actions Coming
The SEC has a long to-do list, but ensuring that advisors and other registrants are protecting clients' sensitive information from cyber threats is right at the top, and more enforcement actions are expected.
The SEC’s Enforcement Division is using the Regulation S-P privacy rule to bring actions against firms that fail to safeguard client data, said the unit’s head, Andrew Ceresney, via an SEC webcast on Tuesday.
"Cyber is obviously a focus of ours, as I know it is for the other divisions, and we've brought a number of cases there relating to Reg S-P and failure to have policies and procedures relating to safeguarding information," Ceresney said, citing the case the commission brought against R.T. Jones, a St. Louis-based RIA, this past summer.
"There'll be others coming down the pike," Ceresney cautioned.
The SEC is reviewing the cybersecurity policies in place at advisors and broker-dealers. Separately, the commission has been shifting exam personnel from the BD side of the Office of Compliance Inspections and Examinations to the unit that oversees RIAs.
But even with those moves, commission officials acknowledge that they can't keep up with the rapid growth of the RIA sector. The SEC is only able to examine about 10% of registered advisors in a given year. And while the commission has been building out its data analytics capabilities to better target larger and higher-risk firms for examination, without a substantial funding increase, the agency will continue to fall short in its oversight of advisors, Chairwoman Mary Jo White has said.
White has directed staffers to develop recommendations for how the SEC might deputize an outside organization to help with advisor exams. That process is already well underway, and Diane Blizzard, associate director of the Division of Investment Management, offered a preview of what that regime might look like.
"These reviews, the way we're envisioning them, would not replace OCIE by any means," Blizzard said.
"These would be designed for additional touches," she said. "We think that the more touches that we can have — even with OCIE not there — the better.If we can collect some information in this process that can help OCIE do a better selection process for risk-based examinations, then that will assist the commission in meeting its goals."
‘AWFUL LOT TO WORK OUT’
Blizzard noted that the SEC floated the idea of a third-party exam initiative back when it was developing the Compliance Rule in 2003. Back then, as now, many industry representatives raised questions about how such a program would work. Commission staffers are trying to work through those issues, beginning with how the jurisdiction of the outside organization would be defined.
"The issue here is the scope," Blizzard said. "The scope of these exams really will drive a lot of the other questions that people have with respect to the costs, what standards are going to operate, how is the SEC going to exert oversight over the process or what sort of oversight can we have, and ... what are the potential conflicts of the people that would be doing the exams and how do you address those. So, certainly an awful lot to work out when it comes to this proposal."
How the exam regime should be structured is the subject of an active debate within the commission, said Jane Jarcho, deputy director of the SEC's National Exam Program.
"I think there's a lot of input being put into the thinking of third-party exams and getting the scope right," she said. "I don't think you could put 20 people in a room and have anybody start in the same place on what the scope should be, so there's a lot of discussion on what that should be."
INCREASING ADVISOR OVERSIGHT
Jarcho also suggested that White is pursuing the third-party exam initiative as the most viable option for increasing advisor oversight, not because she believes that it is the best policy. But since congressional appropriators have resisted her appeals for a budget increase to fund an expanded exam regime, she is taking a more pragmatic approach to addressing the issue.
"If you go back and you look at the chair's speeches and her comments," Jarcho said, "this wasn't her first choice, but it's what she can do. I mean, she's very practical, and not getting the resources that we would need to be able to really increase our exams, she felt that this was a necessary step. We get asked regularly, is this really going to happen. The answer is we're working on [it]. It's a priority of hers and there are a lot of people in the commission working on it. There's a lot of effort being placed on this."
Through a spokesperson, White declined to comment, though at the outset of the conference she mentioned the ongoing efforts at the commission to step up advisor exams, including the proposal for third-party exams.
"These reviews would not be in lieu of exams by our OCIE staff, but rather would be designed to enhance investment adviser compliance through an independent review," White said. "But these measures will not close the gap. It is long road to having the resources we need to reach an acceptable level of exam coverage for investment advisers."
- Many Advisors Get Failing Grade on Cybersecurity
- Cyberattacks Are Picking Up Steam
- Outside Advisor Exams Are No Substitute for SEC Oversight