As the calendar turns on a fresh fiscal year, the SEC Division of Examinations has published its list of 2022 priorities. Since 2013, releasing a list of examination priorities has been an annual tradition for the Division – a move designed to improve transparency among investors and registrants, flagging areas of increased risk to ensure firms can do all they can to protect themselves.
And in 2022, there’s a great deal of risk.
The SEC’s 2022 priorities
Some of the SEC’s key priorities this year cover areas such as private funds, Environmental, Social and Governance (ESG) Investing, standards of conduct, and emerging technologies such as crypto-assets. For cybersecurity teams, it’s the SEC’s focus on information security and operational resiliency that demands immediate attention.
This year, the SEC Division of Examinations will be particularly focusing on broker-dealers’, RIAs’, and other registrants’ measures to prevent interruptions to mission-critical services, as well as protecting investor information, records and assets.
The Division states it will also continue to review whether firms have taken ‘appropriate measures’ to safeguard customer accounts and prevent account intrusions by ensuring the correct steps are in place to verify an investor’s identity. It will also examine whether firms are overseeing vendors and service providers, addressing malicious email activities, identifying red flags related to identity theft, and managing operational risk for those working from home. As such, the Division will be paying particular attention to compliance with Regulations S-P and S-ID, where applicable.
With the assaults on Colonial Pipeline, JBS Foods and CNA Financial, among others, 2021 was a lesson in just how much havoc a ransomware attack can wreak. And as the number of cyber-attacks show now sign of diminishing, the Division’s 2022 priorities make it clear that firms must make operational resiliency and keeping customer data safe a core priority in 2022.
But it’s not just about managing risk – it’s also about recovery. The Division will also be reviewing business continuity and disaster recovery plans of registrants, paying particular attention to the impact of climate risk and ‘substantial disruptions’ to the flow of business operations.
Best practice for compliance
With security and compliance under the Division’s watchful eye, firms must reexamine their security infrastructure and ensure they’re meeting all compliance requirements – placing a particular focus on disaster recovery plans as flagged by the SEC.
Businesses must be realistic about the security risks they face and how to best mitigate them. They need to implement a clear recovery time objective and recovery point objective. They need to ensure that everyone knows their roles in the event of an incident and that there is a clear chain of command. And as the SEC noted, the shift to hybrid and remote working – which has stretched company networks and added extra endpoints – has made firms more vulnerable to cyber attack. As such, all security procedures must be adapted to reflect the changing landscape and ensure that even firms with a dispersed workforce will remain secure.
Real-time security
In today’s fast paced environment, one of the most efficient ways to mitigate risk is through real-time monitoring of networks, third party providers,and endpoints, so malicious activity is flagged and addressed as soon as it arises. Point in time assessments simply do not cut it anymore – by the time malicious activity is detected, cybercriminals may have already stolen highly sensitive information and done irreparable damage.
