Financial Regulators Have Cyber on Their Minds

Financial Regulators Have Cyber on Their Minds

This year, expect regulators to hold financial-services companies accountable for their cybersecurity failings.

Financial regulators, struggling to keep up with the onslaught of new threats to the public’s sensitive financial and personal data, have spent the last few years examining corporate cybersecurity practices, policies, and procedures and communicating their expectations to executives.

This year, expect regulators to hold companies accountable for their cybersecurity failings. Since CFOs play a critical role in ensuring their companies are able to meet these expectations, they should stay informed about these developments.

When it comes to enforcing cybersecurity preparedness, the Securities and Exchange Commission (SEC) is flexing its regulatory muscle more than ever before. Last year, the SEC’s Office of Compliance Inspections and Examinations (OCIE) released the results of its cyber-readiness examination of 57 registered broker-dealers and 49 registered investment advisers. The examination discovered that while firms had varying degrees of cyber-preparedness, most firms reported that they had been the subject of a cyber-related incident. The report underscored the importance of the issue and confirmed what most industry executives already knew — cyber risk is a serious and growing threat.

Shortly thereafter, the SEC’s Division of Investment Management released a Guidance Update to help advisers create effective cybersecurity policies. The Guidance Update noted that “cyber-attacks on a wide range of financial services firms highlight the need for firms to review their cybersecurity measures,” and it suggested that funds and advisers mitigate cybersecurity risk by (1) conducting periodic cybersecurity risk assessments; (2) creating strategies designed to prevent, detect, and respond to cybersecurity threats; and (3) implementing the strategy through written policies and procedures and training.

What really commanded industry attention, however, was the SEC’s settlement of the first-ever cybersecurity-related enforcement action in September 2015. The message to the C-suite was clear: the SEC was now holding companies accountable for their cybersecurity missteps. Around the same time, OCIE issued a Risk Alert stating that it would be conducting a second round of investment adviser and broker-dealer cybersecurity investigations focused on assessing procedures and internal controls. OCIE has also signaled to firms that cybersecurity remains a priority by including cybersecurity examinations in its 2016 Examination Priorities. Read more on CFO.