The Securities and Exchange Commission put the financial sector in a tizzy when it announced a sweep exam addressing cybersecurity last April. Along with the announcement came a detailed document request list that would make most compliance officers’ heads spin.
The problem with the cybersecurity sweep is that it seems to be coming from the wrong people and is addressed to the wrong people. When I think of the Securities and Exchange Commission I don’t think of hacking and data security. I think of lawyers and accountants. When I think of financial services compliance officers, I also think of lawyers and accountants.
Maybe that is overly specific. But I don’t think of cybersecurity experts in either case.
It’s not that cybersecurity is not important to the industry. It’s very important. Clients must have faith that their investments will not be stolen. Historically, the role of the SEC has been to make sure the financial professional is not stealing from its clients. Cybersecurity imposes a requirement that unknown hackers are not stealing from the financial professional’s clients.
The cybersecurity sweep went to 57 registered broker dealers and 49 registered investment advisers and looked at the legal, regulatory, and compliance issues.
The SEC’s Risk Alert on Cybersecurity details the findings.
I’m going to guess that that each bullet point is now a new standard that a firm will need to meet. The alert does not say so, but I’m going to use it as a blueprint for an additional review of cybersecurity.
Sources: