The Securities and Exchange Commission’s National Exam Program plans to continue this year its exams of brokers’ and advisors’ cybersecurity-related measures by conducting targeted exams of their “IT-related” controls, according to Vincente Martinez, chief of the SEC’s Office of Market Intelligence.
“Another round of exams” will be conducted this year by the SEC’s Office of Compliance Inspections and Examinations’ Technology Controls Program “looking at the quality of the technical infrastructure of certain firms,’” cybersecurity-related measures, Martinez said during a cybersecurity conference held Wednesday in New York by the Financial Industry Regulatory Authority and the Securities Industry and Financial Markets Association.
Martinez said these OCIE exams would target a “smaller group” of advisors and broker-dealers.
The SEC noted in its recently released exam priorities list for this year that OCIE will continue its exams of BDs’ and advisors’ cybersecurity compliance controls that started last year, and that such exams will also be expanded to include transfer agents.
Results of the SEC’s recent exam sweeps of BDs and advisors, which showed the BDs are more prepared for cyberattacks than advisors, are not meant to be “best practices guidance,” Martinez told attendees. Rather, the SEC exams in this area were used “to better understand how BDs and advisors are addressing legal, regulatory and compliance issues associated with cybersecurity,” and to “inform the commission on the current state of cybersecurity preparedness.”
Martinez noted that while the SEC currently does not have a cybersecurity rule, in terms of enforcement, the SEC is levying cyber-related actions via Regulation SP, the safeguard rule that requires cybersecurity policies and procedures be in place. “Most enforcement actions in the cyber area are happening under Reg SP,” he said, adding that FINRA is also levying actions under SEC’s Reg SP as well as FINRA Rule 2010.