Cybersecurity 2017: Top Exam Priorities for Federal Securities Regulators

Hedge funds and broker dealers can expect their cybersecurity preparedness to come under scrutiny again this year by federal securities regulators.

The U.S. Securities and Exchange Commission announced yesterday that the agency will continue to focus its 2017 examination efforts on cybersecurity issues. In announcing its exam priorities, the agency’s Office of Compliance Inspections and Examinations (OCIE) said cybersecurity “compliance procedures and controls, including testing the implementation of those procedures and controls” would remain an examination priority.

Outgoing SEC Chair Mary Jo White – who will be leaving the agency with the change in administration – announced OCIE’s annual exam priorities. It’s unclear whether her successor will make any changes to them.

Last week, the Financial Industry Regulatory Authority (FINRA), also announced its 2017 exam priorities. FINRA called cybersecurity “one of the most significant risks many firms face, and in 2017, FINRA will continue to assess firms’ programs to mitigate those risks.” In particular, FINRA pointed out that it would focus on two areas in which it has seen “repeated shortcomings in controls,” which includes weak controls at branch offices and a failure to adhere to Securities Exchange Act Rule 17a-4(f) requiring firms to preserve certain records in a non-rewriteable, non-erasable format – commonly called WORM format.

We will monitor and report on data security developments by both regulators.