SEC Sharpens Cybersecurity, Boosts RIA Exams
The SEC has sharpened its focus on cybersecurity in recent days, with its chairman Jay Clayton releasing a statement identifying it as a priority, and announcing by the creation of a cyber unit that will focus on targeting cyber-related misconduct. Additionally, the watchdog will also focus on the fiduciary rule and boost its RIA examination capacity, Clayton has told lawmakers.
Stephanie Avakian, co-director of the SEC’s enforcement division, says the cyber unit will “enhance” the regulator’s ability to detect and investigate cyber threats, noting that those threats and misconduct are “among the greatest risks facing investors and the securities industry”.
The cyber unit’s misconduct targets will include market manipulation schemes involving false information that are spread through electronic and social media; hacking to obtain material non-public information; violations involving distributed ledger technology and the so-called initial coin offerings (virtual coins or tokens); misconduct perpetrated using the dark web; intrusions into retail brokerage accounts; and cyber-related threats to trading platforms and other critical market infrastructure.
The cyber unit will be headed by Robert Cohen, who has been co-chief of the SEC’s market abuse unit since 2015. The unit will include staff members from across the enforcement division. It will be used to complement a planned cybersecurity working group that will coordinate information sharing, risk monitoring, and incident response efforts throughout the agency.
The creation of the cyber unit comes at a time when the SEC is also assessing its own cybersecurity risk profile. The planned cybersecurity working group is a product of that assessment, which Clayton initiated in May.
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Clayton says. “We must be vigilant. We also must recognize – in both the public and private sectors, including the SEC – that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
In August the SEC learned an incident previously detected in 2016 may have provided the basis for illicit gain through trading. The SEC says a software vulnerability in the test filing component of its EDGAR automated document filing system was exploited and resulted in access to non-public information. The SEC believes the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the commission, nor result in systemic risk.
In Tuesday’s Senate Committee on Banking, Housing and Urban Affairs hearing on the oversight of the SEC, Senator Michael Crapo, R-Idaho said he was “disturbed” the SEC didn’t disclose the intrusion to the “public and even all of its commissioners” when it happened in 2016.
“It is critical that the SEC safeguards the data it collects and maintains,” he said, citing the dangers posed by a recent cyber breach of Equifax data.
In the same hearing, Rep. Sherrod Brown, D-Ohio said the SEC should be held to a higher standard when it comes to expectations of transparency on cybersecurity breaches.
“How are main street investors expected to have confidence that the SEC can hold big companies accountable when the SEC is not immediately forthcoming?” he asked.
At the hearing, Clayton said he too was concerned over the lack of transparency over the 2016 intrusion, which happened before he became SEC chairman. But he cautioned against second guessing the SEC’s ability to secure the information entrusted to it to perform its regulatory functions.
Clayton said he has authorized the immediate hiring of additional staff to help the SEC protect the security of its network, systems and data. He said he also directed the staff to enhance their escalation protocols for cybersecurity incidents.
In his statement, Clayton said the scope and severity of risks that cyber threats present have increased dramatically.
The challenge to preventing cybersecurity threats, Clayton says, is that the malicious attacks and intrusion efforts are continuous and evolving”, and can succeed even when the targets are “the most robust institutions”, such as the SEC. Thus, he says, cybersecurity efforts must not stop with the assessment of risks, but proceed with prevention, mitigation, resilience and recovery.
SEC regulations require firms to adopt written policies and procedures to protect customer information against cyber-attacks and other forms of unauthorized access. They also outline a firm’s duties regarding the detection, prevention, and mitigation of identity theft and require firms to preserve electronically stored records in a non-rewriteable, non-erasable format, commonly known as the write once read many (WORM) format.
The SEC has said RIAs appear less prepared than broker-dealers when it comes to dealing with cybersecurity threats. Earlier this year, the SEC analyzed 75 firms and found that 26% of the companies don’t conduct risk assessments on a continuous basis and 57% failed to carry out vulnerability and penetration tests with simulated attacks on critical systems.
Separately, the SEC will increase the number of RIA exams by 30% by moving 100 employees to its investment advisor unit, Clayton told lawmakers, according to FA magazine. This will mean the regulator will be able to examine around 15% of all investment advisors, he said, according to the publication. As of last year, the SEC was only able to examine about 10% of the RIAs on its watch. And this summer the agency gave up on its proposal to bring on third-party examiners to help it with advisor audits.
During his testimony, Clayton also stressed the far-ranging effects on the markets of the Department of Labor’s fiduciary rule, which purports to force retirement account advisors to put clients’ interests first and went into partial effect in June. The SEC is working hand-in-hand with the DOL on investment advisor standards, Clayton told the panel, according to FA magazine. And the regulator has already received more than 150 comments from the industry about revamping its standards of conduct for investment advisors, he said. But the regulator is still evaluating its next move as far as rolling out its own version of the fiduciary rule, he said, according to FA magazine. Nonetheless, Clayton told lawmakers the rule is on top of its agenda, according to InvestmentNews.
“Everything can’t be a priority. This is a priority for me,” Clayton said, according to the publication.
Clayton asked for a budget of $1.7 billion to achieve the goals, Financial Advisor magazine writes. The money would let the regulator end a hiring freeze put in place at the start of fiscal year 2017, he told the panel.
Additional reporting by Alex Padalka.