SEC steps up intensity of cybersecurity oversight

The SEC has been concerned for years about online attacks that could expose financial advisors’ customer data, but the agency’s intensity on the topic is now reaching a crescendo.

In a split vote, the Securities and Exchange Commission released for public comment March 15 a 500-page proposal that would require brokers, clearing agencies, major swaps operations and other entities to establish written policies and procedures to address cybersecurity threats.

At the same open meeting, the entire commission voted to release for public comment a separate proposal that would require broker-dealers, investment companies, registered investment advisers and transfer agents to notify clients and customers of data breaches that could expose them to identity theft or other harm.

The commission also reopened the public comment period on a cybersecurity proposal for registered investment advisors.

A couple of weeks ago, the SEC issued a risk alert stating that its examination staff has found RIA and brokerage deficiencies in safeguarding customer records and information at branch offices. The alert highlights that the SEC again this year has made cybersecurity an examination priority.

“This is the most [SEC] activity we’ve seen in this space to date,” said Amber Allen, executive vice president and general counsel at Fairview, a regulatory consulting firm.

So far, the SEC has taken a “shotgun approach to cybersecurity risk management,” said EJ Yerzak, director of cybersecurity services at Confluence, a regulatory technology provider and consultant.

But by reopening the comment period on the advisor cybersecurity rule and running it concurrently with the public comment period on the broker rule, the agency appears to be attempting to align the two.

“What the SEC is doing is hitting the pause button to allow time to consolidate its approach,” Yerzak said.

That timeout will be welcome by trade associations that have called on the SEC to slow its rulemaking process, which has been criticized as overly aggressive and overlapping.

The comment periods will run for a few more weeks, and it’s difficult to predict how the agency might modify the advisor and broker proposals before they become final rules. But it is clear the agency intends to strengthen cybersecurity requirements, a point that was reinforced by the recent risk alert.

Financial advisors shouldn’t wait for new regulations to be put into place before shoring up their internal cybersecurity oversight.

“It’s important for advisors to prepare ahead of the final rules,” Allen said. “It’s clear that investment advisors need to focus on implementing comprehensive cybersecurity policies and procedures. Policies need to cover not only the main office but also branches and remote locations.”

Firms should look for “gaps in policies” that fail to address cybersecurity risks such as vendor oversight, use of mobile devices, data loss and change management, Yerzak said. They also should put an emphasis on cyber testing and training.

Taking those steps is not only necessary to keep regulators at bay, it’s also good for clients.

“It makes business sense to safeguard your customer data,” Yerzak said.