SEC Planning Enforcement Actions Resulting from Cybersecurity Exams

March 22, 2016

U.S. Securities and Exchange Commission (SEC) staff spoke at the Investment Company Institute's Mutual Funds and Investment Management Conference on March 15, 2016, regarding examination and regulatory initiatives around cybersecurity issues.

The staff panelists noted that the SEC's Division of Enforcement is currently working on enforcement actions regarding cybersecurity, and that the Division has been referred cybersecurity examination issues for enforcement consideration by the Office of Compliance Inspections and Examinations (OCIE).

To date, the SEC has brought only one enforcement action as the result of a cybersecurity exam. Last fall, the SEC charged a small St. Louis-based investment adviser for failing to adopt written cybersecurity policies and procedures reasonably designed to safeguard customer information.

A key discussion topic among panelists was whether or not the SEC went too far in fining that firm, as none of the firm's clients suffered financial losses as the result of the data breach. In addition, the firm took appropriate actions to correct the breach once it was discovered, including promptly retaining more than one cybersecurity consulting firm.

The SEC staff panelists emphasized the importance of conducting adequate due diligence of third-party service providers and their security measures and adopting adequate policies and procedures that address the risk of cybersecurity issues that may result in stolen client information.

The SEC staff panelists also noted that the SEC has made public the specific exam questions related to cybersecurity and encouraged firms to use these questions to perform their own cybersecurity assessments in preparation for the event of an actual exam.

How ACA Can Help

ACA has seen a significant increase in cybersecurity exams over the last two weeks. Our cybersecurity and risk team, ACA Aponix, assists firms in conducting thorough due diligence on third-party service providers and helps firms develop and test their cybersecurity policies and procedures. In addition, we assist firms during an SEC exam, as well as help them prepare in advance for an exam, such as by providing the Document Request List used in recent SEC cybersecurity exams. If you would like more information or have any questions, please reach out to your ACA Consultant or Damon Zappacosta