SEC Cybersecurity Examinations and Enforcement: What Broker-Dealers and Investment Advisers Need to Know

September 28, 2015

The Securities and Exchange Commission’s (SEC or Commission) Office of Compliance Inspections and Examinations (OCIE) announced in a September 15, 2015 Risk Alert (2015 Risk Alert) that it will be conducting a second round of examinations of broker-dealers and investment advisers, focused on cybersecurity. One week later, the SEC’s Enforcement Division announced the settlement of an enforcement proceeding against an investment adviser for failing to establish adequate cybersecurity policies and procedures, as required under Regulation S-P.

The announcement of the second round of OCIE cybersecurity exams and the recent enforcement action are strong signals that the SEC remains focused on evaluating the cybersecurity policies and procedures adopted by investment advisers and broker-dealers. While the first round of OCIE exams appeared to be more focused on inventorying the particular cybersecurity policies and practices that firms had adopted, the sample information request included in the 2015 Risk Alert indicates that the SEC will now focus on the implementation and operation of cybersecurity policies and procedures. The enforcement proceeding indicates that firms may be subject to regulatory enforcement for failure to adopt adequate cybersecurity policies and procedures, even in the absence of financial harm to investors.

Read "SEC Cybersecurity Examinations and Enforcement: What Broker-Dealers and Investment Advisers Need to Know."