The SEC’s annual list of exam priorities undergoes adjustments from year to year, but one topic has turned evergreen and risen to the top of the list for buy-side firms: cybersecurity.
“Cyber is the one issue, regardless of who you are in our industry, that directly affects you,” said Allison Charley, Senior Principal Consultant with ACA Compliance Group, speaking at a February webinar hosted by SS&C Advent. “The SEC put it on the list for the last five years, and I would expect it to remain there long into the future.”
Firms are clearly hungry for insights that will help them comply with regulations and best manage their firms in the eyes of the SEC. Last week, more than 600 attendees listened to the webinar SEC Exam Priorities for 2019. During the presentation, attendees were polled on the issue of biggest concern to their firms – the one they believed would require the most time, money and resources to address in the coming year. Around 70% of respondents cited cybersecurity atop all other issues. While the selection of cybersecurity wasn’t astonishing, the difference (more than 50%) to the second highest rated choice - retail investors, seniors, and retirement – is surprising, which received just 17% of the votes.
From the webinar, attendees learned that exams are getting increasingly more rigorous on the topic of cyber security. If your firm gets the proverbial knock on the door, expect the examiners to ask about your network and data storage configurations, as well as all the technologies and devices that you utilize. Examiners want to know how you handle information security governance:
- Do you have policies, procedures, and documentation in place?
- Are you doing risk assessments and penetration testing?
- What are your standards for wireless devices?
- Who are your service providers and IT vendors?
- Is security due diligence regularly performed on vendors?
- And above all, do you have an incident response plan?
You can’t get away with winging it. Even firms that did everything right after a breach have been sanctioned, if they did so without a written plan.
Cybersecurity may be commanding the most attention from this poll result, but it is just one of the many priorities on the SEC’s list. The top priority, as in recent years, is protection of retail investors, especially seniors and those saving for retirement. Examiners will want to know that RIAs and broker-dealers have measures in place to protect clients from fraud, exploitation, or abuse by employees. They will look at the suitability of investment recommendations and whether they are in line with client objectives, risk profiles, and restrictions. Of course, they’ll want to see that fees and expenses are fully disclosed. They’ll also want to know how you handle conflicts of interest, and whether employees are incentivized financially to push certain products. Such arrangements aren’t necessarily illegal, but they have to be thoroughly and properly disclosed.
One of the newer topics appearing on the SEC’s list is digital assets including “crypto” securities. To the extent that digital assets are deemed to be securities, they are essentially governed by the same rules and regulations as traditional securities. Several enforcement actions were taken last year against crypto issuers and traders that had simply failed to comply with basic requirements, such as filings and disclosures or compliance controls.
The SEC has made no secret of its shortage of examiners relative to the growth of the industry. By publishing its priorities each year, the intent is that most firms will pay attention to them and the commission can target its limited resources on high-risk firms. In a poll at the start of the webinar, 40% of attendees said their firms had never had an SEC exam, but 60% had one within the last five years. Rather than try to beat the odds, it’s better to know the priorities. The recorded webinar is just under an hour, including Q&A with the audience, and well worth the time.