SEC to Conduct ‘IT-Related’ Exams of BDs, Advisors

OCIE will look at ‘the quality of the technical infrastructure’ of certain firms’ cybersecurity controls

The SEC wants to examine firms' technical cybersecurity infrastructure. The SEC wants to examine firms' technical cybersecurity infrastructure.

The Securities and Exchange Commission’s National Exam Program plans to continue this year its exams of brokers’ and advisors’ cybersecurity-related measures by conducting targeted exams of their “IT-related” controls, according to Vincente Martinez, chief of the SEC’s Office of Market Intelligence.

“Another round of exams” will be conducted this year by the SEC’s Office of Compliance Inspections and Examinations' Technology Controls Program “looking at the quality of the technical infrastructure of certain firms,’” cybersecurity-related measures, Martinez said during a cybersecurity conference held Wednesday in New York by the Financial Industry Regulatory Authority and the Securities Industry and Financial Markets Association.

Martinez said these OCIE exams would target a “smaller group” of advisors and broker-dealers.

The SEC noted in its recently released exam priorities list for this year that OCIE will continue its exams of BDs’ and advisors’ cybersecurity compliance controls that started last year, and that such exams will also be expanded to include transfer agents.

Results of the SEC’s recent exam sweeps of BDs and advisors, which showed the BDs are more prepared for cyberattacks than advisors, are not meant to be “best practices guidance,” Martinez told attendees. Rather, the SEC exams in this area were used “to better understand how BDs and advisors are addressing legal, regulatory and compliance issues associated with cybersecurity,” and to “inform the commission on the current state of cybersecurity preparedness.”

Martinez noted that while the SEC currently does not have a cybersecurity rule, in terms of enforcement, the SEC is levying cyber-related actions via Regulation SP, the safeguard rule that requires cybersecurity policies and procedures be in place. “Most enforcement actions in the cyber area are happening under Reg SP,” he said, adding that FINRA is also levying actions under SEC's Reg SP as well as FINRA Rule 2010.

Brian Peretti, director for the Office of Critical Infrastructure Protection and Compliance Policy at the Treasury Department, who spoke on the same panel with Martinez, noted the low level of cybersecurity awareness at private-sector firms.

Peretti noted that the Cybersecurity Framework issued by the National Institute of Standards and Technology, or NIST, “is a way to start a dialogue about cybersecurity [and to] understand what the risks are,” noting other helpful measures include FINRA’s recently released Report on Cybersecurity Practices, which highlights cybersecurity practices BDs should adopt, the SEC exam sweeps results, as well as the North American Securities Administrators Association’s recently released report on questions consumers should ask their advisors about cybersecurity.

Daniel Sibears, FINRA’s executive vice president of Member Regulation, noted on the panel with Martinez and Peretti that FINRA may likely issue another cybersecurity-related report, noting that the recently released report focuses on “principles and effective practices, not rules; we know [cybersecurity is] a complicated area.”

He noted that everyone within an organization should be involved in cyber-preparedness. “It’s a collaborative process that has to occur at firms in order to be successful.”

--- Check out Bad Guys 'Winning' in Cyberattacks on ThinkAdvisor.

Reprints Discuss this story

Most Recent Videos

Video Library ››