In past posts, we discussed increased enforcement efforts by the Securities and Exchange Commission (SEC). The SEC’s focus should have come as no surprise given that in early 2021, the SEC highlighted information protection and cybersecurity as key areas of focus for 2021. For instance, the SEC’s Division of Examinations specifically highlighted its concerns about endpoint security, data loss, remote access, use of third-party communication systems, and vendor management.
We don’t see the SEC’s focus changing in 2022. If anything, cybersecurity enforcement efforts ramped up throughout the rest of 2021 as the SEC followed through on its concerns and imposed millions of dollars in civil penalties and fines. As discussed, the SEC enforcement actions are illustrative and provide guidance going forward. For instance, the SEC continually cited the Safeguards Rule which requires every investment advisor and broker-dealer to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information against cybersecurity attacks or other unauthorized access. Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit, also emphasized exactly what the SEC was targeting when she stated that “Investment advisers and broker-dealers must fulfill their obligations concerning the protection of customer information. It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”
In sum, entities should take heed from the SEC’s enforcement actions and plan appropriately for 2022. Undoubtedly, the SEC will examine whether entities took appropriate measures to: (1) safeguard customer accounts and prevent account intrusions; (2) investigate and properly report breaches to the agency and customers; (3) oversee vendors and service providers; (4) address malicious email activities, such as phishing or account intrusions; (5) respond to suspected incidents, including ransomware attacks.