Getting Their Priorities Straight: Cybersecurity

By Abigail Howd, Spring 2018 IAC Student Intern

In 1990, Vanilla Ice instructed the world to “stop, collaborate, and listen.”  The U.S. Securities and Exchange Commission (SEC) followed Ice’s advice precisely.  Starting in 2013, the SEC’s Office of Compliance Inspections and Examinations (OCIE) has released an issue focus list each year called the examinations priorities.  The OCIE creates these lists “to improve compliance, prevent fraud, monitor risk, and inform policy.”  Each year, the OCIE stops to identify emerging risks to investors.  Then, the OCIE collaborates with various market and compliance professionals regarding the challenges they faced the preceding year.  Finally, the OCIE listens to the advice of its Chairman, Commissions, the Investor Advocate, and other SEC staff to formulate a focus list for the new year.

The OCIE provides several principles it considers when formulating its new examination priorities.  For example, the OCIE is risk-based because it is unable to conduct regular and complete reviews of every registered firm every year.  The examination priorities allow the OCIE to focus its efforts on firms whose services are on the focus list for that year.  The OCIE also uses data analytics to pinpoint non-compliance and high-risk behavior in the securities industry.  Earlier this year, the SEC released its 2018 National Exam Program Examination Priorities.  This year’s priorities, in no particular order of importance, are:

  1. Cybersecurity;
  2. Anti-money laundering programs;
  3. Financial Industry Regulatory Authority (FINRA) and Municipal Securities Rulemaking Board (MSRB);
  4. Compliance and risks in critical market infrastructure; and
  5. Matters of importance to retail investors, including seniors and those saving for retirement.

The first priority is on cybersecurity.  Due to firms’ and investors’ increasing reliance on technology and the internet, OCIE believes that “[c]ybersecurity protection is critical to the operation of our markets.”  As firms and other market participants continue to rely on technology more and more heavily, the risks of data-breaches and other cyber threats will continue to grow.  FINRA also has its eye on cybersecurity.  Some of the most common cyber threats that FINRA observed in 2016 and 2017 were “phishing and spearphishing attacks, ransomware attacks and fraudulent third-party wires that frequently involve use of email or stolen customer or financial advisor credentials.”  Phishing and spearphishing are both fraudsters’ techniques using fraudulent emails and copy-cat websites to trick consumers into providing identification and account information.  Ransomware “infects computers with malicious software that encrypts computer users’ files and demands payment of ransom to restore access to the locked files.”

Many potential victims of cyber threats do not know all the ways they are unintentionally exposing themselves to risk.  The SEC released many helpful Investor Alerts and Investor Bulletins to educate investors about the potential risks and how to best protect themselves.