SEC's Cyber/Infosec Exam Priorities for 2021
The Securities and Exchange Commission’s Division of Examinations today announced its 2021 examination priorities. The Division publishes its examination priorities annually to provide insights into its risk-based approach, including the areas it believes present potential risks to investors and the integrity of the U.S. capital markets.
Once again, cybersecurity is part of the top 6 initiatives though the definition is expanded by definition as Information Security and Operational Resiliency.
Advisor Armor software and service continue to provide interpretive guidance and evidence conformance to these expanded expectations. SEC comment highlights include:
Over the past year, the increase in remote operations in response to the pandemic has increased concerns about, among other things, endpoint security, data loss, remote access, use of third-party communication systems, and vendor management. The Division will review whether firms have taken appropriate measures to:
safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access
oversee vendors and service providers
address malicious email activities, such as phishing or account intrusions
Respond to incidents, including those related to ransomware attacks; and manage operational risk as a result of dispersed employees in a work-from-home environment.
In particular, EXAMS will also focus on controls surrounding online and mobile application access to investor account information, the controls surrounding the electronic storage of books and records and personally identifiable information maintained with third-party cloud service providers, and firms’ policies and procedures to protect investor records and information.
The use of technology to facilitate compliance with regulatory requirements (RegTech) has experienced immense growth in recent years. RegTech, when implemented appropriately, may increase the efficiency of compliance staff, reduce manual processes, and exponentially increase transaction review capabilities. However, misused or improperly configured RegTech may lead to compliance program deficiencies. Examinations will focus on the implementation and integration of RegTech in firms’ compliance programs.
EXAMS typically assess compliance programs of RIAs in one or more core areas, including the appropriateness of account selection, portfolio management practices, custody and safekeeping of client assets, best execution, fees and expenses, business continuity plans, and valuation of client assets for consistency and appropriateness of methodology. In evaluating the effectiveness of a compliance program, the Division frequently reviews whether RIAs appear to have sufficient resources to perform core compliance responsibilities.
The Division will continue to review the compliance programs of RIAs, including whether those programs and their policies and procedures are reasonably designed, implemented, and maintained. As part of its risk-based examination approach, the Division will also continue to conduct examinations of RIAs that have never been examined, including new RIAs and RIAs registered for several years that have yet to be examined, with a particular focus on firms’ compliance programs.
Information security is critical to the operation of the financial markets and the confidence of its participants. The impact of a breach in information security, including a successful cyber-attack, may have consequences that extend beyond the firm compromised to other market participants and retail investors, who may not be well informed of these risks and the potential consequences. The Division is acutely focused on working with firms to identify and address information security risks, including cyber-attack-related risks, and encourages market participants to actively and effectively engage regulators and law enforcement in this effort.