The SEC’s Office of Compliance Inspections and Examinations (OCIE) released two Risk Alerts, on April 16, 2019 and May 23, 2019, highlighting the importance of privacy and cybersecurity compliance for SEC-registered investment advisors and broker-dealers under Regulation S-P. As previously covered on Data Matters, OCIE has consistently identified cybersecurity as one of its main areas of focus for examinations.
Indeed, cybersecurity was once again identified by OCIE in its 2019 National Exam Program Examination Priorities (2019 Exam Priorities), which placed a particular emphasis on proper configuration of network storage devices, information security governance, and policies and procedures related to retail trading information security. With the issuance of the April 16 and May 23 Risk Alerts, OCIE has provided additional detail regarding specific issues that SEC-registered entities should focus on to mitigate privacy and cybersecurity risk, as well as to prepare for examinations.
Over the last few years, States have enacted increasingly aggressive legislation concerning data privacy and security, raising concerns that companies will be subject to a patchwork of different standards. Congress has recently taken notice, convening hearings on potential federal privacy legislation, with the possibility of preemption a hot topic during the hearings. Last week, the Federal Trade Commission (“FTC”) got into the act as well, releasing two notices of proposed rulemaking (“NPRM”) on potential changes to its the Standards for Safeguarding Customer Information (“Safeguards Rule”) and Privacy of Consumer Financial Information Rule (“Privacy Rule”) under the Gramm-Leach-Bliley Act. The proposed amendments – and particularly the proposed changes to the Safeguard Rule – signal the FTC’s desire to align its rules with those of key states and to further protect customer information held by financial institutions.