As in past years, the SEC and FINRA (as well as other regulators) released their examination priorities for 2015 in early January. Compliance and legal professionals can now pore over the language of these priorities to assess where their firms need to focus in the coming year. While there may be more than one candidate for top honors, cybersecurity has emerged as an area that will receive increased scrutiny from regulators in the year ahead.
SEC Examination Priorities
To understand what has changed, we can look back to the priorities published in 2014. When the SEC’s Office of Compliance, Inspections and Examinations (OCIE) published its National Exam Program Examination Priorities 2014, it listed “Technology” as a National Examination Priority (NEP) initiative. Within the description of “Technology” it merely listed “information security” as an area that would continue to be examined. Their focus, however, increased just a couple of months later after the SEC sponsored a Cybersecurity Roundtable. Within a couple of weeks following the Cybersecurity Roundtable, the SEC published its “OCIE Cybersecurity Initiative” NEP Risk Alert that included a sample request for information that OCIE might use in conducting information security examinations of an initial group of 50 registered brokers and investment advisers. In the months that followed, investment adviser clients reported that these examinations had indeed extended beyond the initial group.
Given this backdrop and the prevalence of high profile cybersecurity breaches in the news (including, of course, the cybersecurity breach experienced by JP Morgan in October of last year), it is unsurprising that cybersecurity is more heavily emphasized in the National Exam Program Examination Priorities 2015. This year, OCIE listed “Cybersecurity” as one of four market wide risks that it will focus on in the year ahead. OCIE notes that transfer agents should also expect examinations to focus more on cybersecurity as well.
FINRA Examination Priorities
FINRA, in their 2014 Regulatory and Examination Priorities Letter, listed “Cybersecurity” as its own category. In that letter, FINRA noted that their “primary focus” was the “integrity of firms’ policies, procedures, and controls to protect sensitive customer data.” FINRA was non-committal as to how and if cybersecurity would factor into its examinations and investigations. Within the month, however, FINRA initiated a sweep of a number of brokers and published its request letter (see my earlier blog, Significant Developments In Cyber-Security and Their Impact on the Financial Services Industry). Further, late last year, FINRA began hiring examiners with technology expertise with the purpose of intensifying its scrutiny of brokers’ cybersecurity practices in 2015.
As anticipated, FINRA’s 2015 Regulatory and Examinations Priorities Letter makes clear what was not in 2014. The first sentence under its “Cybersecurity” listing states “FINRA examiners will review firms’ approaches to cybersecurity risk management.” FINRA goes on to note that they will be providing more guidance in the first half of this year as to how firms should proceed, specifically with respect to “the use of frameworks and standards, the role of risk assessments, the identification of critical assets, and the implementation of controls to protect those assets based on the scale and business model of the firm” (for a more detailed discussion of these areas, readers should download Information Security Risks: Internal Systems, Vendors, and The Cloud , a white paper published by Hess Legal Counsel and Aponix in September of last year). Notably, FINRA focuses on the ability of broker dealers to comply with books and records retention requirements under Rule 17a-4(f), promulgated pursuant to the Exchange Act, in the event of a cyber attack. Rule 17a-4(f) addresses the WORM (write once, read many) requirements that brokers must adhere to with respect to electronic storage of its books and records.
Immediately following FINRA’s listing of cybersecurity as a priority, FINRA listed “Outsourcing” which is a new examination priority. FINRA notes that their examinations will specifically address what the broker is doing to ensure their vendor’s compliance with securities laws and rules that the broker is responsible for. Moreover, FINRA states that it will be focusing on the due diligence and risk assessment that its members undertake with regards to their service providers, as well as supervision of these providers. Given the exposure that firms have to information security threats through outsourcing, the placement of this risk after cybersecurity cannot be accidental. Irrespective, firms need to consider outsourcing risks as part of their information security program.
The Implications of Reg SCI for Non-SCI Entities
Late 2014 also saw the adoption of Regulation Systems Compliance and Integrity (Reg SCI), a regulation designed to require certain critically important firms to implement comprehensive policies and procedures for critical technology systems. While the regulation only covers a limited group of 44 entities that are largely exchanges, certain ATS’s and clearing firms, the SEC noted in its release that it might consider broadening the scope of the regulation to other categories of market participants such as “non-ATS broker dealers, security-based swap dealers, investment advisers, investment companies, transfer agents and other key market participants.” As a practical matter, I don’t foresee Reg SCI ever becoming an issue for most broker dealers, investment advisers or investment companies. With that said, however, the SEC is clearly signaling that broader regulation of the technology of regulated financial entities is a real possibility. In addition, the SEC is currently advancing measures that would require publicly owned companies to disclose more information about their cybersecurity vulnerabilities and, at the very least, I believe we can anticipate that the SEC and/or FINRA will eventually require greater disclosure from regulated financial entities respecting their cybersecurity vulnerabilities.
While larger firms have already implemented information security programs, many small and mid-size shops are neither sufficiently prepared for a cybersecurity breach nor the questions that the examiners will be asking them in the months and years to come. With the regulators being so explicit about their intent to scrutinize this area, compliance and legal professionals in all firms should recognize that they can no longer wait on specific legislation to compel their response. Their firms will have to answer to the regulators, whether as part of their examination process or a known breach, respecting their information security programs.