In an interview on May 17, SEC Chair Mary Jo White made an eye-opening comment about cyber-security. Cyber-security, she stated at the Reuters Financial Regulation Summit, is now the "biggest risk facing the financial system."
White stated that the SEC has determined that "some major exchanges, dark pools and clearing houses did not have cyber policies in place that matched the sort of risks they faced." She added that the SEC's examinations in this area have revealed "a lot of preparedness, a lot of awareness but also their policies and procedures are not tailored to their particular risks." The SEC is actively working to point out these deficiencies to the entities it regulates, she said, but it simply "can't do enough in this sector."
Cyber-security experts told Reuters that White's comments were the agency's strongest to date and "a historic recognition of the systemic risk facing Wall Street" from cyber-security issues. Indeed, it was just two years ago that the SEC began to really scrutinize the immense risks cyber-security poses to financial markets, and what its own role might be.
On March 26, 2014, the SEC held a "Roundtable on Cyber-security" at the recommendation of former SEC Commissioner Luis Aguilar. Aguilar stated at the time that he had become "particularly concerned about the risks that cyber-attacks pose to public companies, and to the capital markets and its critical participants, including the exchanges, clearing agencies, transfer agents, broker-dealers, and investment advisers." He said that while there was no doubt that the SEC needed to play a role in this area, "what is less clear is what that role should be." Chair White agreed with his recommendation and established the Roundtable to help the SEC "develop a better understanding of this growing problem."
Following the Roundtable, the SEC has been active in providing guidance to registered investment companies and investment advisers, and has conducted a series of examinations to identify cyber-security risks and assess cyber-security preparedness in the securities industry. The SEC's OCIE has also made cyber-security compliance and controls a key part of its Examination Priorities.
In addition, the SEC has been ramping up its cyber-security-related enforcement actions. In September 2015, the SEC filed a settled enforcement action against R.T. Jones Capital Equities Management for the firm's alleged failure to "establish the required cyber-security policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients." The case was the SEC's first against a regulated entity for a cyber-security-related violation. On April 12, 2016, the SEC brought a settled administrative proceeding against Craig Scott Capital, LLC, a registered broker dealer, and its two principals, alleging that they violated Reg S-P's requirements that broker-dealers adopt written policies and procedures to protect confidential customer information and records and to keep and maintain copies of all business communications.
Recently, SEC Enforcement Director Andrew Ceresney warned that other similar cyber-security cases alleging violations of Regulation S-P are "coming down the pike."