Investments involving seniors and cybersecurity compliance are among the concerns expected to make the 2018 examination priority list now being developed by the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE), according to industry experts familiar with the process.
The list is likely to be released in January and will be the roadmap for OCIE activities for the year with an expected focus on market-wide risks and retail investor risks.
“Cybersecurity will be an expanded OCIE priority in 2018, as examiners look to whether sufficient cybersecurity policies, procedures and controls are in place to protect personal information,” Joseph Moreno, an attorney at Cadwalader, Wickersham & Taft, told ThinkAdvisor.
“With the one-two punch of the Equifax and EDGAR breaches still fresh in the headlines, it is hard to imagine cyber will not be front-and-center going forward. Chair [Jay] Clayton has stated that he views cybersecurity as a critical part of the infrastructure underlying the capital markets, and this emphasis will no doubt be borne out in OCIE priorities.”
James Fanto, a professor at Brooklyn Law School, agrees, saying, “There is simply so much activity in the cybersecurity space with the Equifax hack and the SEC’s own hack that they can’t ignore this subject. And there is always the worry that customer assets will be hacked into and taken.”
Similarly, Robert Plaze, an attorney at Proskauer Rose, also sees cybersecurity as an OCIE priority. “It’s a real risk throughout the financial services industry – and a wide swath of other industries – and the SEC is vulnerable if it is not viewed as sufficiently vigilant because the SEC was itself hacked.”
Moreover, Denver Edwards, an attorney at Bressler, Amery & Ross, points out that the OCIE, in recent years, examined broker-dealers and investment advisors for compliance with cyber-security regulations.
“OCIE will continue to examine registrants for cyber compliance given that cyber breaches have become ubiquitous,” he adds. “The Commission is concerned about hacking to access material, non-public information; account intrusions to conduct manipulative trading; and disseminating false information … to manipulate stock prices.”
Related to this, there has been a divide internally among the SEC staff on cybersecurity, a knowledgeable source told ThinkAdvisor. On one side, there are those who are more “militant” and want stricter standards and more enforcement actions, and want to make an example of a business or firm that has a cyber incident.