Cybersecurity is becoming a greater priority each year for investment firms. Not only is the risk of attack increasing from a growing number of sources, but the level of potential damage to individual firms and the overall market also increases with each passing year.
As a reflection of the ever-growing cyber threats to market stability and investor security, regulatory bodies are making cybersecurity risk and prevention a focus of their oversight activities.
Since 2015, the SEC Office of Compliance, Inspections, and Examinations (OCIE) has clearly and repeatedly stated its intentions to focus heavily on working with firms to identify and manage cybersecurity risks through compliance with cybersecurity standards.
Click to read the SEC statements in full.
However, interagency cooperation and activity indicate that not all firms are taking measures to ensure that proper cybersecurity policies and risk-management procedures necessary to protect market integrity are in place.
Cybersecurity Risks and Interagency Cooperation
As cases of non-compliance are identified, either the OCIE or the SEC Enforcement Division are stepping in to take action in one of the following forms:
- Enforcement inquiry by the SEC Enforcement Division
- OCIE examination proceedings to determine areas for improvement, with results communicated through the deficiency letter process
More information on these agency actions can be found here.
Clearly, protection of the market and of investors has become an industry-wide priority, and compliance with bolstered cybersecurity requirements to reduce risks is expected by the associated regulatory agencies.
Informed Employees — The Cybersecurity Front Line
Informed employees act as the critical first line of defense against cybersecurity threats, and a vigorous training program is a key to bolstering both protection and compliance.
Successful cybersecurity training programs include, at the minimum, the following components:
- How to identify cybersecurity risks, including social engineering, phishing, viruses, hacking, and malware
- Understanding cybersecurity policies and user responsibilities related to an employee’s specific job role
- Implementing sound protection habits, such as encryption protocols, strong password policies, data backups, and the use of anti-virus/anti-malware software
- Outlining and reviewing the firm’s incident response procedures with all employees
Up-to-date training focused on these fundamental elements of cybersecurity risk prevention increases employees’ knowledge and abilities to effectively fill their role as cybersecurity gatekeepers.
Bolstering Cybersecurity to Meet SEC Standards — We Can Help
In its 2018 National Examination Program Priorities memo, OCIE released the following statement on cybersecurity issues:
“We will continue to prioritize cybersecurity in each of our examination programs. Our examinations have and will continue to focus on, among other things, governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.”
Click to read the statement in full.
This statement clearly indicates the need for firms to allot the necessary resources that will ensure their cybersecurity policies and procedures are robust enough to meet regulatory standards and reduce the threat of cyberattacks and their associated damages.
Employee education that bolsters your firm’s cybersecurity capabilities is the logical first step in reducing risk and compliance with the SEC’s ever-increasing requirements.
At Core Compliance & Legal Services, Inc., we have years of experience assisting clients in matters related to compliance, including cybersecurity risk prevention measures. We’re here to help — contact us for assistance with your cybersecurity compliance needs.