In a prepared speech at the Georgia Law Review Annual Symposium, SEC Commissioner Luis A. Aguilar covered a broad range of topics under the heading of “Preparing for Regulatory Challenges of the 21st Century.” Main points covered the ever-evolving markets and the need for high-quality information. In his closing statement, the Commissioner reminded attendees that “the dangers and risks of cyber-attacks…are developments no one expected just a few years ago.” Diligent readers of SEC speeches know that the devil is typically in the details, or in this case, footnotes. Expanding upon this brief mention, Aguilar goes on to note that “over just a relatively short period, cybersecurity has become a top concern for operating companies, financial institutions, law enforcement, and a host of global regulators.” We infer from this note that Commissioner Aguilar includes himself among the panoply of interested parties.
Oftentimes we are forced to read the proverbial tea leaves when it comes to understanding the SEC’s thought process and how it might transfer into document requests or areas of focus in the Investment Adviser’s next examination, but on the topic of cybersecurity things seem to be relatively clear. While Cybersecurity has been the focus of several initiatives, it seems to be popping up in the footnotes or conclusions of many speeches in many different venues. All of these points, in isolation, can appear inconsequential. However, when we review the rhetoric and the posture of the Commission in general over the past year and a half, we face the insurmountable truth that Cybersecurity is an issue that IAs must address, and must address immediately. At the 2014 Cybersecurity Roundtable, all of the SEC’s commissioners were present and remained so for the entire day, sending a clear message of importance to the population of regulated entities. Throughout the year, commissioners spoke on topics of cybersecurity, with Commissioner Aguilar speaking on June 10th, 2014 on “Cyber Risks and the Boardroom”, reminding the highest level of companies that they too have a responsibility for overseeing cyber-risk and that those boards choosing to “ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”
Compounding the rhetoric, the SEC issued its Cybersecurity Sweep Document Request on April 15th, 2014 and released its results on February 3rd, 2015 (commented on here). This release was coordinated with the results of FINRA’s own sweep. Taken as a whole the regulatory winds continue to move various regulatory ships down the path of more intense and sustained review of individual Firm’s practices.
So what should a regulated entity be doing now? Review the SEC’s cybersecurity sweep document request and the corresponding results. The real value, from our point of view, is the request itself and you should take the time, if you haven’t already done so, to review each question and to determine your firm’s individual responses. Taking time to conduct the fire drill and remediate noted weaknesses now will not only make your firm more secure, it will prepare you for the next time the regulator comes knocking.
Furthermore, we recommend all entities, regulated by FINRA or not, take the time to review their February, 2015 “Report on Cybersecurity Practices.”
For those SEC-regulated firms that wish to peer into the future, we would recommend a review of Regulation SCI. While an in-depth analysis of all 743 pages is likely not necessary, we would recommend a review of the controls and expectations promoted by the Commission to exchanges and other entities now covered by Reg. SCI. Although there is nothing written in stone at this point, the release contained the following note:
This approach will enable the commission to monitor and evaluate the implementation of Regulation SCI, the risk posed by the systems of other market participants, and the continued evolution of the securities markets, such that it may consider, in the future, extending the types of requirements in Regulation SCI to additional categories of market participants, such as non-ATS broker-dealers, security-based swap dealers, investment advisers, investment companies, transfer agents, and other key market participants.
From our point of view, the SEC has given us something of a crystal ball to gaze into, and it behooves us to do so, if only to determine resource prioritization for the future.
Finally, if you’re just not sure where you stand in the cybersecurity jungle, or how best to move forward, give us a call or an email, we’ll be happy to discuss your firm’s current posture and ways to reduce your attack surface.
For Further Reading (Links Will Open in a New Window):