January 9, 2020

2020: 7th Consecutive Year SEC Declares Cybersecurity as Top Regulatory Priority

by: John Araneo

As it does every January, the U.S. Securities and Exchange Commission (the “Commission”) again released its annual examination priorities for 2020 (the “2020 Release”). Cybersecurity remains a top priority for the Commission.

The Commission currently has two distinct and dedicated units focusing on Cybersecurity (“OCIE,” its examination arm, and the “Cyber Unit,” its enforcement team), and in 2019, the cadence of “Cyber Sweeps” increased, as it conducted two separate Cyber Sweeps simultaneously.

JTA-Headshot-487172-editedThis comes as little surprise to most, as Cybersecurity continues to present a systematic risk to the financial markets. The Align Cybersecurity team continues to study the Commission’s evolving policy on Cybersecurity and the 2020 Release is helpful in that regard. 

As the 2020 Release makes clear, “OCIE prioritized information security in each of its five examination programs in FY 2019.” The fact that Cybersecurity is a substantive focal point, even in examinations other than the Cyber Sweeps, is demonstrative of how critical and omnipresent Cybersecurity risk has become, both in the eyes of regulators and within the context of Operational Due Diligence exercises as well.

For 2020, the Commission will focus on proper configuration of network storage devices, information security governance, generally, and retail trading information security. With regard to registered investment advisers, the same categorical domains (the “Cyber 6”) remain the prevailing vectors that will be addressed in the Cyber Sweeps. These include:

  • Governance and risk management
  • Access controls
  • Data loss prevention
  • Vendor management
  • Training
  • Incident response and resiliency

Other, more nuanced topics the Commission will examine and assess this year (all of which were publicly addressed in 2019 through Risk Alerts and other materials), include:

  • Oversight practices of network solution and cloud-based storage vendors
  • Compliance with the Safeguards Rule (Regulation S-P) and the Identity Theft Red Flags Rule (Regulation S-ID)
  • Controls surrounding online and mobile application access to customer brokerage account information
  • Safeguards around the proper disposal of retired hardware

If you have any questions on the Commission’s evolving policy on Cybersecurity, please do not hesitate to reach out to the Align Cybersecurity Team.

Contact Us ➜ 

Continue Reading

Related Articles


“Align is our trusted provider for all our Managed Services and cybersecurity needs. They provide us best-in-class IT services that not only help drive productivity and growth, but ensure we meet both current and evolving compliance and security requirements with ease. As consultants to financial advisors, trust and reliability are indispensable to our operations, which is why we never hesitate to refer Align to our very own client base. Align isn’t just our partner, they are an extension of our team. We look forward to entrusting them with our IT infrastructure for years to come.”

Ed Fasano - Experienced Advisory Consultants LLC