As it does every January, the U.S. Securities and Exchange Commission (the “Commission”) again released its annual examination priorities for 2020 (the “2020 Release”). Cybersecurity remains a top priority for the Commission.
The Commission currently has two distinct and dedicated units focusing on Cybersecurity (“OCIE,” its examination arm, and the “Cyber Unit,” its enforcement team), and in 2019, the cadence of “Cyber Sweeps” increased, as it conducted two separate Cyber Sweeps simultaneously.
This comes as little surprise to most, as Cybersecurity continues to present a systematic risk to the financial markets. The Align Cybersecurity team continues to study the Commission’s evolving policy on Cybersecurity and the 2020 Release is helpful in that regard.
As the 2020 Release makes clear, “OCIE prioritized information security in each of its five examination programs in FY 2019.” The fact that Cybersecurity is a substantive focal point, even in examinations other than the Cyber Sweeps, is demonstrative of how critical and omnipresent Cybersecurity risk has become, both in the eyes of regulators and within the context of Operational Due Diligence exercises as well.
For 2020, the Commission will focus on proper configuration of network storage devices, information security governance, generally, and retail trading information security. With regard to registered investment advisers, the same categorical domains (the “Cyber 6”) remain the prevailing vectors that will be addressed in the Cyber Sweeps. These include:
- Governance and risk management
- Access controls
- Data loss prevention
- Vendor management
- Training
- Incident response and resiliency
Other, more nuanced topics the Commission will examine and assess this year (all of which were publicly addressed in 2019 through Risk Alerts and other materials), include:
- Oversight practices of network solution and cloud-based storage vendors
- Compliance with the Safeguards Rule (Regulation S-P) and the Identity Theft Red Flags Rule (Regulation S-ID)
- Controls surrounding online and mobile application access to customer brokerage account information
- Safeguards around the proper disposal of retired hardware
If you have any questions on the Commission’s evolving policy on Cybersecurity, please do not hesitate to reach out to the Align Cybersecurity Team.