Securities and Exchange Commission

SEC Office of Compliance Inspections and Examinations Publishes Observations on Cybersecurity and Resiliency Practices

 

On January 27, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued observations gleaned from its examinations related to cybersecurity and operational resiliency practices taken by market participants (the “Observations”). The Observations impact the entire securities industry because OCIE conducts examinations of SEC-registered investment advisers, investment companies, broker-dealers, self-regulatory organizations, clearing agencies, transfer agents, and others. It uses a risk-based approach to examinations to fulfill its mission to promote compliance with U.S. securities laws, prevent fraud, monitor risk, and inform SEC policy.

The Observations cover a broad range of operations in the areas of governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. They highlight specific examples of cybersecurity and operational resiliency practices and controls that organizations have taken to safeguard against threats and respond in the event of an incident.

Organizations subject to examination by OCIE should expect that the primary elements highlighted will be a focus of routine, as well as targeted examinations. The Observations are best regarded as a set of “best practices” that should be considered by regulated organizations in developing, implementing and monitoring the effectiveness of their own compliance programs.

The following are selected excerpts from the Observations that we believe are the most significant. A complete copy of the Observations can be found here.

Governance and Risk Management

OCIE emphasized that effective compliance programs “start with the right tone at the top.” As a top priority of any examination, senior leaders should be committed to improving their organization’s cyber posture through working with others to understand, prioritize, communicate, and mitigate cybersecurity risks.

OCIE observes that a key element is the incorporation of a governance and risk management program that generally includes, among other things: (i) a risk assessment to identify, analyze, and prioritize cybersecurity risks to the organization; (ii) written cybersecurity policies and procedures to address those risks; and (iii) the effective implementation and enforcement of those policies and procedures.

Access Rights and Controls

OCIE observes that “access rights and controls” are used to identify and determine who are the appropriate users within an organization who should have access to organization systems based on job responsibilities. Access controls generally include: (i) understanding the location of data, including client information, throughout an organization; (ii) restricting access to systems and data to authorized users; and (iii) establishing appropriate controls to prevent and monitor for unauthorized access.

Data Loss Prevention

“Data loss prevention,” as conceived by OCIE, typically includes a set of tools and processes an organization uses to ensure that sensitive data, including client information, is not lost, misused, or accessed by unauthorized users.

Mobile Security

Mobile devices and applications may create additional and unique vulnerabilities. Examples of the mobile security measures OCIE has observed include the following elements: (i) establishing specific policies and procedures for the use of mobile devices, including managing the use of mobile devices., e.g., the compliance program addresses the special concerns that are presented when employees are permitted to use their own mobile devices in performing business functions; (ii) implementing security measures; (iii) training employees, including training employees on mobile device policies; and (iv) effective practices to protect mobile devices.

Incident Response and Resiliency

OCIE notes the importance of a compliance program including the following elements: (i) the timely detection and appropriate disclosure of material information regarding incidents; and (ii) assessing the appropriateness of corrective actions taken in response to incidents. OCIE emphasized that an important component of an incident response plan is a business continuity plan and resiliency plan that addresses how quickly the organization could recover and again safely serve clients if the operations of the organization were materially disrupted.

Vendor Management

OCIE found that practices and controls related to vendor management generally include policies and procedures related to: (i) conducting due diligence for vendor selection; (ii) monitoring and overseeing vendors, and contract terms; (iii) assessing how vendor relationships are considered as part of the organization’s ongoing risk assessment process as well as how the organization determines the appropriate level of due diligence to conduct on a vendor; and (iv) assessing how vendors protect any accessible client information.

Training and Awareness

Training and awareness are key components of cybersecurity programs. Training provides employees with information concerning cyber risks and responsibilities and heightens awareness of cyber threats.

OCIE has observed the following practices used by organizations in the area of cybersecurity training and awareness: (i) training staff to implement the organization’s cybersecurity policies and procedures and engaging the workforce to build a culture of cybersecurity readiness and operational resiliency; (ii) providing specific cybersecurity and resiliency training, including preventive measures in training, such as identifying and responding to indicators of breaches, and obtaining customer confirmation if behavior appears suspicious; (iii) monitoring to ensure employees attend training and assessing the effectiveness of training; and (iv) continuously re-evaluating and updating training programs based on cyber-threat intelligence.

SEC Obtains Emergency Order Halting Alleged Diamond-Related ICO Scheme Targeting Hundreds of Investors

 

On May 21, the Securities and Exchange Commission (SEC) announced that it obtained a court order halting an ongoing $30 million Ponzi Scheme. The SEC complaint charged a cryptocurrency business and its principal with using investor funds to run a Ponzi Scheme. Release.

SEC Announces the Formation and First Members of Fixed Income Market Structure Advisory Committee

 

On November 9, 2017, the Securities and Exchange Commission (“SEC“) announced the formation and first members of its Fixed Income Market Structure Advisory Committee.

According to the announcement, the committee, whose initial focus will be on the corporate bond and municipal securities markets, will provide advice to the Commission on the efficiency and resiliency of these markets and will identify opportunities for regulation.

The entire announcement can be found here.

SEC Announces Measures to Facilitate Cross-Border Implementation of the European Union’s MiFID II’s Research Provisions

 

On October 26, 2017, the Securities and Exchange Commission (“SEC”) announced that, “following consultation with European authorities, and in response to concerns that investors could lose access to valuable research, the staff of the U.S. Securities and Exchange Commission issued three related no-action letters. These letters are designed to provide market participants with greater certainty regarding their U.S. regulated activities as they engage in efforts to comply with the European Union’s (EU) Markets in Financial Instruments Directive (MiFID II) in advance of the Jan. 3, 2018, implementation date.”

According to the SEC, the no-action relief “provides a path for market participants to comply with the research requirements of MiFID II in a manner that is consistent with the U.S. federal securities laws. More specifically, and subject to various terms and conditions: (1) broker-dealers, on a temporary basis, may receive research payments from money managers in hard dollars or from advisory clients’ research payment accounts; (2) money managers may continue to aggregate orders for mutual funds and other clients; and (3) money managers may continue to rely on an existing safe harbor when paying broker-dealers for research and brokerage.”

The Press Release announcing these developments can be found here.

SEC Adopts Rules to Modernize Information Reported by Funds, Require Liquidity Risk Management Programs, and Permit Swing Pricing

 

On October 13, 2016, the Securities and Exchange Commission adopted rules to implement modern reporting and disclosure requirements for registered investment companies and open‑end funds. Press Release.

FINRA and SEC Announce Tick Size Pilot Program

 

On October 3, 2016, the Financial Industry Regulatory Authority (“FINRA”) and the Securities and Exchange Commission (“SEC”)’s Office of Investor Education and Advocacy issued an Investor Alert announcing a new National Market System (NMS) Plan that will implement a Tick Size Pilot Program (the “Pilot”) that will widen the minimum quoting and trading increment – sometimes called the “tick size” – for some small capitalization stocks. The goal of the Pilot is to study the effect of tick size on liquidity and trading of small capitalization stocks.

The Pilot has been implemented pursuant to the Jumpstart Our Business Startups Act which, among other things, directed the SEC to conduct a study and report to Congress on how decimalization affected the number of initial public offerings, and the liquidity and trading of securities of smaller capitalization companies.

Under the Pilot, the tick size will be widened from a penny ($0.01) to a nickel ($0.05) for specified securities listed on national securities exchanges (“Pilot Securities”). For some Pilot Securities, only quoting will need to occur in $0.05 increments, while for others, both quoting and trading generally will need to occur in increments of a nickel.

The Pilot will include a specified subset of the exchange-listed stocks of companies that have $3 billion or less in market capitalization, an average daily trading volume of one million shares or less and a volume-weighted average price of at least $2.00 for every trading day. There will be a control group of approximately 1,400 securities and three test groups, each with approximately 400 securities selected by a stratified sampling.

The Plot will run for a two-year period that will commence on October 3, 2016.

The data collected from the Pilot will be used by the SEC, national securities exchanges and FINRA to assess whether wider tick sizes enhance the market quality of these stocks for the benefit of issuers and investors—such as less volatility and increased liquidity.

Resources:

SEC Adopts Rules for Enhanced Regulatory Framework for Securities Clearing Agencies

On September 28, 2016 the Securities and Exchange Commission (“SEC”) voted to adopt new rules to establish “enhanced standards for the operation and governance of securities clearing agencies that are deemed systematically important or that are involved in complex transactions, such as security-based swaps.” In addition, the SEC has proposed to apply these new standards to additional categories of securities clearing agencies, including all SEC-registered central counterparties. The rules will become effective sixty days after their publication in the Federal Register. Press release.

SEC Adopts Amendments Providing Authorities Access to Data Obtained by Security-Based Swap Data Repositories

 

On August 29, 2016, the Securities and Exchange Commission amended a rule designed to provide access for regulators to data in the security-based swap market.  The amendments were enacted to make the sharing of information more secure and efficient. Press release,

SEC Adopts Rules to Enhance Information Reported by Investment Advisers

 

On August 25, 2016, the Securities and Exchange Commission adopted amendments to rules and forms designed to improve disclosures provided by investment advisers to investors and the Securities and Exchange Commission. Press release.