For the fourth year running, the Securities and Exchange Commission’s Office continues to list cybersecurity as one of the top enforcement priorities for 2019. As it relates to cybersecurity, the SEC will be focusing on ensuring companies have proper configuration of network storage devices, robust information security governance, and established policies and procedures specific to protecting retail investors’ trading information and preventing cyber intrusions into retail brokerage accounts. The SEC also wants to see that companies manage both their own systems (including legacy systems), as well as maintaining adequate oversight of the practices of their partners and affiliates.
The SEC has also articulated concern and focus regarding the cybersecurity practices of investment advisors. In particular, the SEC indicated it will review cybersecurity policies of investment advisors, with a focus on those with multiple branch offices or that have recently merged with other advisers. Investment advisors will need to demonstrate suitable governance and risk assessment of cyber risks, including incident response plans; robust controls and procedures around access to systems containing customer information; data preservation procedures; vendor management guidelines specific to cyber-related vendors; and cybersecurity training.
Putting it Into Practice: The SEC continues to pay significant attention and scrutiny to the cybersecurity practices and preparedness of market participants and registered entities. Companies should keep this in mind as they prioritize and fund their security efforts throughout 2019.