Cybersecurity “enforcement has begun,” Thomas Hibarger, managing director of Stroz Friedberg, warned Wednesday at the Securities Enforcement Forum in Washington, adding however that enforcement is “not a trend yet.”
Indeed, executives from both the Securities and Exchange Commission and the Financial Industry Regulatory Authority noted at the forum, held by Securities Docket, that cybersecurity preparedness is an exam priority this year and next.
“Cyber is an important topic,” added Russell Ryan, senior vice president and deputy chief at FINRA enforcement, who sat on the panel with Hibarger. “Brokerage firms are a prime target of criminal cybersecurity because that’s where the money and personal information is.”
Exam teams “are looking at [cybersecurity] closely” and assessing the policies that firms have in place, Ryan said. Cybersecurity has been a FINRA exam priority for the “past two years,” he added. “There hasn’t been a ton of activity on the enforcement side but I do think we’ll see more as we go on.”
Advisory firms and broker-dealers “must have reasonable [cybersecurity] safeguards in place,” noted Julie Riewe, co-chief of the SEC’s Asset Management Unit, which is housed in the agency’s Division of Enforcement.
She noted the first cybersecurity enforcement case the SEC brought against St. Louis-based investment advisor R.T. Jones Capital Equities Management for not having cybersecurity policies and procedures in place to stop a breach of the personal indentifiable information of 100,000 individuals, including thousands of the firm’s clients.
R.T. Jones agreed to pay a $75,000 penalty to settle the SEC charges that it violated federal securities laws requiring RIAs to adopt written policies and procedures reasonably designed to protect customer records and information.
The SEC in mid-September released a set of questions for advisors and broker-dealers to answer regarding their cybersecurity preparedness, as the agency started its second round of cyber-related exams beginning in October.
OCIE issued its Risk Alert to provide additional information on the areas of focus for the exam division’s second round of cyber exams, which the agency says will involve “more testing to assess implementation of firm procedures and controls.”
When it comes to cybersecurity, the SEC, Riewe stated, “thinks about the policies and procedures that need to be in place.”
The “big takeaway,” Stroz Friedberg’s Hibarger noted, is that firms “should have their house in order; if you have reasonable procedures, you’ll be OK.” He added that a more egregious cybersecurity related enforcement action could be brought in the next year to 18 months.
— Check out SEC Clarifies RIAs’ Cybersecurity Obligations on ThinkAdvisor.