On February 7, 2018, the SEC’s Office of Compliance Inspections and Examinations (OCIE) released its 2018 National Exam Program Examination Priorities (2018 Exam Priorities) and, once again, identified cybersecurity as one of its main areas of focus. According to OCIE, each of its examination programs will prioritize cybersecurity. The 2018 Exam Priorities include five main focus areas: (1) cybersecurity; (2) compliance and risks in critical market infrastructure; (3) matters of importance to retail investors, including seniors and those saving for retirement; (4) oversight of the Financial Industry Regulatory Authority (FINRA) and Municipal Securities Rulemaking Board (MSRB); and (5) anti-money laundering programs. For an in-depth discussion regarding the entirety of the 2018 Exam Priorities, see Sidley’s previous analysis here.
As related to cybersecurity, the 2018 Exam Priorities make clear that OCIE’s examinations will focus on governance, risk assessments, access rights and controls, data loss prevention, vendor management, training, and incident response. OCIE emphasized the “critical” importance of cybersecurity protection to market operation and the far-reaching effects of cyber threats. In addition, OCIE will continue to work with firms in all sectors to identify and manage cybersecurity risks and to encourage other market participants to engage in this effort as well.
OCIE’s identification of cybersecurity is not surprising and reflects the continuing importance of this area to OCIE and the SEC more generally. Armed with a cyber unit formed in September 2017, new leadership for OCIE, and a clear mandate to focus on cybersecurity governance obligations of public companies, the SEC is becoming a significant cybersecurity regulator in the United States. Indeed, many have already felt the effects of its increasing focus in this area.
Cybersecurity has continued to grow in prominence in the OCIE examination context in recent years, resulting in two standalone “Cybersecurity Initiatives,” in 2014 and 2017. The latter recently resulted in the issuance of OCIE’s August 2017 Risk Alert, outlining observations from its second cybersecurity survey (known as the “Cybersecurity 2 Initiative”). Among other things, the August 2017 Risk Alert (which followed a similar Alert from September 2015) outlined certain elements that OCIE suggested would be useful as part of the implementation of robust cybersecurity policies and controls—including, for instance, maintenance of an inventory of data, information, and vendors; mandatory employee training; vetting and approval of cybersecurity policies and procedures by an engaged senior management; access controls for data and systems; data integrity testing; and detailed cybersecurity-related instructions regarding penetration tests, security monitoring, audits, access rights, and reporting. OCIE also recognized cybersecurity as a “top compliance risk” and pledged to “continue to examine for cybersecurity compliance.”
These efforts have coincided with recent fines against examined entities for alleged deficiencies in cybersecurity policies and procedures. Specifically, the SEC has penalized lapses in cybersecurity preparedness by charging violations of Rule 30(a) of Regulation S-P (the “Safeguards Rule”), requiring registered broker-dealers, investment companies, and investment advisers to adopt written policies and procedures that “address . . . safeguards for the protection of customer records and information.” For example, in September 2015, the SEC announced a $75,000 fine (among other things) against R.T. Jones Capital Equities Management for allegedly failing to establish cybersecurity policies and procedures in relation to an alleged breach at its third party-hosted web server, in violation of the Safeguards Rule. Notably, the SEC emphasized that financial harm to clients was not a prerequisite to bringing cybersecurity-related charges. In a press release accompanying the settlement, the SEC noted: “As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients. Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” (Emphasis added throughout.)
Note that the SEC’s cybersecurity focus extends beyond registered firms and to public companies more generally. Although the SEC has yet to sanction a public company for failure to disclose a data breach, it has investigated companies for their handling and reporting of incidents and risks. It is not uncommon for the SEC to send comment letters to companies in the wake of news stories about cybersecurity incidents. Further, although the last formal guidance on disclosure obligations relating to cybersecurity risks and incidents dates back to 2011, there appears to be increasing scrutiny over public disclosures around cybersecurity risk in recent years as well.
Given the increased SEC focus as well as the threat of shareholder actions and the potential for reputational harm, among other things, public companies should continually review the adequacy of their disclosures relating to cybersecurity risks and cyber incidents. And in light of the most recent articulation of examination priorities, examined institutions should assess whether and the extent to which they have implemented appropriate cybersecurity controls, with a special emphasis on the areas of focus identified by the 2018 Exam Priorities. Entities should ensure that they have developed a robust cybersecurity program that addresses cybersecurity risks specific to the entity; is both documented and effectively implemented in practice; is supported by the appropriate resources (tools, people, processes, and funds); and is updated as appropriate to account for new and developing risks and resources.