Frances Floriano Goins, Co-Chair of Ulmer’s Data Privacy and Information Security Practice Group, contributed analysis to a recent Law360 article focusing on an expected wave of cybersecurity-based enforcement from the U.S. Securities and Exchange Commission (SEC). For years, the SEC has encouraged companies to focus on improving their cybersecurity, and has included cybersecurity on broker-dealer and investment adviser exams for the last three years. With the focus seemingly unlikely to change under new Chairman Jay Clayton, companies are preparing for incoming SEC enforcement.
The SEC’s attention to cybersecurity is nothing new. The agency’s Office of Compliance Inspections and Examinations listed cybersecurity on its annual list of exam priorities in 2015, 2016 and 2017, and has implemented several sweeps to test firms’ compliance and controls on cybersecurity.
The office also released a risk alert this spring after the WannaCry hacking attacks, warning broker-dealers and investment advisers to conduct regular penetration tests and vulnerability scans and implement system upgrades on a timely basis.
That alert also revealed that many firms aren’t living up to the SEC’s cybersecurity expectations. Of firms examined in a recent sweep, OCIE said, over a quarter of investment management firms didn’t conduct periodic risk assessments of critical systems, and over half didn’t conduct penetration tests to identify weaknesses and vulnerabilities in their systems.
Ulmer & Berne LLP partner Frances Floriano Goins said that broker-dealers and investment advisers have been subject to stringent and particularized cybersecurity regulation by the SEC and broker-dealer watchdog the Financial Industry Regulatory Authority, and as a result cybersecurity violations by registered entities has been enforced more aggressively than those of public companies.
“The SEC and certainly FINRA, which regulates some of these entities, have not been particularly sympathetic” to hacked firms and regulated entities that aren’t up to speed on their cyber protections, Goins said.
For the full article, please click here. Please note that a subscription to the publication may be needed to access the full content.