Regulation and Compliance > Federal Regulation > SEC

SEC Exam Priorities Said to Focus on Cybersecurity, Seniors in 2018

Your article was successfully shared with the contacts you provided.

Investments involving seniors and cybersecurity compliance are among the concerns expected to make the 2018 examination priority list now being developed by the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE), according to industry experts familiar with the process.

The list is likely to be released in January and will be the roadmap for OCIE activities for the year with an expected focus on market-wide risks and retail investor risks.

“Cybersecurity will be an expanded OCIE priority in 2018, as examiners look to whether sufficient cybersecurity policies, procedures and controls are in place to protect personal information,” Joseph Moreno, an attorney at Cadwalader, Wickersham & Taft, told ThinkAdvisor.

“With the one-two punch of the Equifax and EDGAR breaches still fresh in the headlines, it is hard to imagine cyber will not be front-and-center going forward. Chair [Jay] Clayton has stated that he views cybersecurity as a critical part of the infrastructure underlying the capital markets, and this emphasis will no doubt be borne out in OCIE priorities.”

James Fanto, a professor at Brooklyn Law School, agrees, saying, “There is simply so much activity in the cybersecurity space with the Equifax hack and the SEC’s own hack that they can’t ignore this subject. And there is always the worry that customer assets will be hacked into and taken.”

Similarly, Robert Plaze, an attorney at Proskauer Rose, also sees cybersecurity as an OCIE priority.  “It’s a real risk throughout the financial services industry – and a wide swath of other industries – and the SEC is vulnerable if it is not viewed as sufficiently vigilant because the SEC was itself hacked.”

Moreover, Denver Edwards, an attorney at Bressler, Amery & Ross, points out that the OCIE, in recent years, examined broker-dealers and investment advisors for compliance with cyber-security regulations.

“OCIE will continue to examine registrants for cyber compliance given that cyber breaches have become ubiquitous,” he adds.  “The Commission is concerned about hacking to access material, non-public information; account intrusions to conduct manipulative trading; and disseminating false information … to manipulate stock prices.”

Related to this, there has been a divide internally among the SEC staff on cybersecurity, a knowledgeable source told ThinkAdvisor. On one side, there are those who are more “militant” and want stricter standards and more enforcement actions, and want to make an example of a business or firm that has a cyber incident.

On the other side, are those who are not as militant, and they understand that companies and firms regulated by the SEC want to avoid cyber incidents and are spending money to mitigate risk and improve their cyber defenses. This side, too, may want to see information sharing and collaboration with the government — and does not want to be as aggressive. As 2018 progresses, the SEC may reveal where it stands among the factions.

Also, the SEC is concerned about savings by retirees and baby boomers. This involves those who saved money in a 401(k) or other retirement fund, and how financial service companies want them to put the money into their firm, which poses some risk.

“Last time, the list had an entire section on senior investors and retirement products. I just don’t see that focus going away, given the drumbeat on that topic as so many of us age and have to rely on retirement assets,” Fanto said. “This topic could include all sorts of things, such as products targeted to seniors.” 

Fanto says other issues could make the priority list for 2018 and may include:

  • Problem brokers who move from firm-to-firm or from broker-dealers to advisors.
  • Problematic retail products, such as initial coin offerings and anything related to Bitcoin.
  • Investment advisor practices.

Edwards suggest other possible categories may be included, such as: high fee mutual funds share classes; failure to disclose fees; robo-advisors; advertising; abusive practices; and anti-money laundering.

Also, given that OCIE Director Peter Driscoll had input into OCIE’s 2017 priorities, many of them could “carry over into the new year. There will continue to be a focus by OCIE on protections for retail investors, especially seniors, from abusive sales and marketing practices and improper fee structures,” Moreno said. “A continued emphasis on reviewing registered investment advisors – particularly those who have never been examined by OCIE – will mean fewer resources focused on broker-dealers.”

The list is not expected to change that much from 2017 priorities, and whatever is listed, the knowledgeable source said the priorities are likely the result of speaking with each SEC commissioner and each division. The list is worked on for months, and becomes a “strategic plan for the year,” the source said.

In fact, the source predicts the OCIE will dedicate three quarters of its time and resources to the listed priorities.

“The OCIE’s priorities list is of significance to compliance officers in broker-dealers and advisers because it tells them what to expect when the SEC’s examiners visit their firm,” Fanto adds.