Get Ready for Greater SEC Cyber Security Enforcement

SEC cyber security enforcement is set to intensify in light of recent global attacks and new enforcement chiefs

Public companies and firms operating in regulated industries, especially finance, should expect more SEC cyber security enforcement in the wake of new and emerging threats, like WannaCry and NotPetya, as well as the appointment of two new cyber-minded enforcement chiefs. Reuters reports:

On Thursday, the U.S. Securities and Exchange Commission named Stephanie Avakian and Steven Peikin as new co-directors of enforcement.

In an exclusive interview ahead of the formal announcement, the two said they were deeply concerned about cyber threats and see the topic as a major enforcement priority.

"The greatest threat to our markets right now is the cyber threat," said Peikin, who was still wearing a guest badge because he has not yet received his formal SEC credentials yet. "That crosses not just this building, but all over the country."

The SEC has started to see an "uptick" in the number of investigations involving cyber crime, as well as an increase in reports of brokerage account intrusions, Avakian said. As a result, the agency has started gathering statistics about cyber crimes to spot broader market-wide issues.

This follows on the heels of a risk bulletin the SEC released in response to the WannaCry attacks, urging broker-dealers, investment advisers, and investment companies “to assess industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness.” The bulletin directed readers to a website established by the Financial Industry Regulatory Authority (FINRA), a self-regulatory organization overseen by the SEC, that provides numerous cyber security tips and resources.

Cyber Security Problems Uncovered During Regulatory Exams

Also contributing to the new SEC cyber security focus are widespread security lapses the SEC found during recent regulatory exams at financial companies, including:

• Unauthorized disclosures of personally identifiable information (PII).
• Issues with phishing emails; employees were found to click on suspicious attachments more than 20% of the time.
• Third-party wires not being properly authenticated.
• Organizations not conducting periodic risk assessments, penetration tests, and vulnerability scans.

Penalties for non-compliance with SEC cyber security standards can be severe. Last June, the agency fined Morgan Stanley Smith Barney LLC $1 million for failing to sufficiently secure its systems to prevent a breach; sanctioned Craig Scott Capital LLC for $100,000 for using non-firm email addresses to receive faxes; and made R.T. Jones Capital Equities Management Inc. pay $75,000 for “failing to implement proper cyber policies” after the firm was breached.

Financial firms aren’t the only ones on the SEC’s radar. Law360 reports that the SEC is investigating Yahoo for its numerous data breaches.

Sound GRC Practices Will Keep Your Organization on the SEC’s Good Side

A panel held at the recent 2017 FINRA Annual Conference discussed five best practices organizations should adopt to prevent cyber attacks and maintain compliance with both FINRA and SEC cyber security standards: governance, risk assessment, cyber security training, access management, and vendor management.

Some organizations, especially small and medium-sized businesses, struggle with the cost and time commitment that proactive cyber security and GRC require. But the cost of cyber attacks and non-compliance penalties are much higher than making the necessary investment to prevent attacks and maintain compliance in the first place.