As it does every January, the U.S. Securities and Exchange Commission (the “Commission”) again released its annual examination priorities for 2020 (the “2020 Release”). Cybersecurity remains a top priority for the Commission.
The Commission currently has two distinct and dedicated units focusing on Cybersecurity (“OCIE,” its examination arm, and the “Cyber Unit,” its enforcement team), and in 2019, the cadence of “Cyber Sweeps” increased, as it conducted two separate Cyber Sweeps simultaneously.
As the 2020 Release makes clear, “OCIE prioritized information security in each of its five examination programs in FY 2019.” The fact that Cybersecurity is a substantive focal point, even in examinations other than the Cyber Sweeps, is demonstrative of how critical and omnipresent Cybersecurity risk has become, both in the eyes of regulators and within the context of Operational Due Diligence exercises as well.
For 2020, the Commission will focus on proper configuration of network storage devices, information security governance, generally, and retail trading information security. With regard to registered investment advisers, the same categorical domains (the “Cyber 6”) remain the prevailing vectors that will be addressed in the Cyber Sweeps. These include:
Other, more nuanced topics the Commission will examine and assess this year (all of which were publicly addressed in 2019 through Risk Alerts and other materials), include:
If you have any questions on the Commission’s evolving policy on Cybersecurity, please do not hesitate to reach out to the Align Cybersecurity Team.