Day Pitney remains committed to providing quality legal counsel, while protecting our clients and employees, and transforming our communities into more just, equal and equitable spaces. For more information, please visit our COVID-19 Resource Center | Racial Justice and Equity Task Force.


Publications Events

SEC Ratchets Up Enforcement of Cybersecurity Compliance

Publisher: Day Pitney Alert
April 22, 2014
Day Pitney Author(s) James E. Bowers

The U.S. Securities and Exchange Commission's Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert last week on managing cybersecurity risks.1 The SEC is very serious about compliance with cybersecurity standards. The Commission recently hosted a Cybersecurity Roundtable to gather information from technology experts, registered entities and other interested parties on best practices for managing cyber-threats. Less than a month after the Roundtable, OCIE has released this Risk Alert.

OCIE announced that it will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers focusing on areas related to cybersecurity preparedness. The examinations will cover, among other areas, the governance process for managing cyber-risks, detection and assessment of cyber-risks, controls for managing identified risks, remote customer access to a registered entity's systems, and service provider relationships. To facilitate a registered entity's preparedness for the upcoming examination, OCIE has provided a sample document request, which provides information that can be used to assess a firm's level of cyber-preparedness.

Since data breaches are daily occurrences, registered entities would be wise to commence a cyber-review as soon as possible. Since corporate America is amply on notice about cyber-threats, OCIE is not likely to go easy on entities that are not prepared. For example, in the Risk Alert, OCIE asked whether a firm has updated supervisory procedures to reflect the Identity Theft Red Flag Rules that became effective over a year ago.2 If a firm has not done so, OCIE seeks a full explanation for the delinquency.

For more information about the Risk Alert or how to design a cybersecurity compliance program, please contact any of the individuals listed above or Jim Bowers, our director, Compliance Risk Services, who can be reached at (860) 275 0339 or Mr. Bowers has written extensively about cyber-threats and the National Institute of Standards and Technology's development of a cybersecurity framework (referenced in the Risk Alert). For more information on this topic, see his article "Mitigating Data Breach Liability: In Search of a Best Practice."

[1] OCIE National Exam Program Risk Alert (April 15, 2014), available here.

[2] See Day Pitney Advisory on compliance with the Identity Theft Red Flags Rule (May 10, 2013).