Recently, the Division of Examinations of the Securities and Exchange Commission (the “SEC”) released its annual list of examination priorities for 2022. The SEC listed five “significant focus areas.” One of the five is entitled “Information Security and Operational Resiliency” and involves a firm’s cybersecurity preparedness and whether it has implemented appropriate security measures. In sum, the SEC has prioritized cybersecurity and the other priorities because it believes they involve unique risks to investors, and they are areas that demonstrate a need for continued vigilance.
Specifically, the SEC states that it will review whether firms have taken appropriate measures to safeguard customer accounts and prevent account intrusions, which includes addressing malicious email activities (e.g., phishing). The SEC’s focus also involves how a firm responds to security incidents (e.g., ransomware) and its security measures to detect identity theft. Finally, the SEC will review whether a firm is managing its operational risk, including its remote workforce, disaster recovery plans, as well as whether a firm is conducting its due diligence and overseeing vendors and service providers. Please see the following link for the SEC exam priorities: https://www.sec.gov/files/2022-exam-priorities.pdf
Please note that the SEC’s exam priorities are separate from the efforts noted by the Chair of the SEC, Gary Gensler, which was part of our February 2022 update. To recap, Mr. Gensler announced that SEC is considering additional cybersecurity and incident reporting regulations for entities such as broker-dealers, investment advisory, and funds. He explained that such regulations “could give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the [SEC] with more insight into intermediaries’ cyber risk.” Further, Mr. Gensler noted opportunities to expand Regulation S-P to modernize how consumers would receive notifications about data breach cybersecurity events.
In other words, the SEC will be addressing cybersecurity risk from a number of different angles. As we have discussed in prior updates, the SEC remains focused on cybersecurity for 2022 and for the foreseeable future. Thus, firms should take the time now to prioritize a thorough review of its cybersecurity practices and measures. This will help prepare for a thorough examination and will also confirm that the firm has security measures in place to prevent and mitigate interruptions to mission-critical services as well as protect investor information.