Broker-dealers and advisors should brace for “cybersecurity regulation or guidance” from the Securities and Exchange Commission “in the near future,” and expect that future cybersecurity enforcement actions could result in “significant” fines, says the law firm Sutherland Asbill & Brennan.
In a Tuesday legal alert titled “Cybersecurity Issues in the Financial Services Industry: Fasten your cyber belts, it’s going to be a bumpy night,” Sutherland notes that the recently launched exams by the SEC and FINRA of broker-dealers’ and advisors’ cybersecurity policies are assessing many of the same issues addressed in previous enforcement actions brought by both regulators against firms for cybersecurity-related failures.
Sutherland tells BDs and advisors to brush up on the areas that both regulators are focusing on in their cybersecurity “sweeps,” details previous cybersecurity-related infractions detected by both regulators, and predicts a more aggressive cybersecurity regulatory environment ahead.
Cybersecurity is going to be “a ‘hot’ regulatory issue for the foreseeable future,” say the legal alert’s authors, Brian Rubin, John Walsh and Shanyn Gillespie. “The threat of cyberattacks is rising, not diminishing.
“As the threat grows, regulatory interest is likely to expand,” they continue. What’s more, “as data breaches continue to generate headlines, regulators will likely face mounting pressure from Congress and the public to act in this area. Future regulatory and enforcement actions are therefore anticipated.”
Sutherland notes that FINRA’s cybersecurity sweep exams cover many of the same issues as the SEC’s examinations, including: information technology risk assessment; business continuity plans in the event of a cyber-incident; organizational structures and reporting lines; sharing and evaluating cyber threat information; cybersecurity breaches in the past years and their consequences; responding to denial of service attacks; cybersecurity training; cybersecurity insurance; and vendor contracts.
Thus, Sutherland writes, “both regulators appear to be in agreement that these issues represent important cybersecurity considerations.”
The SEC’s recently released alert from its Office of Compliance Inspections and Examinations noted that OCIE has now focused its exams on more than 50 registered broker-dealers and advisors.