On October 16, 2023, the SEC’s Division of Examinations (“EXAMS”) issued its 2024 Examination Priorities (the “2024 Priorities”). The 2024 Priorities reflect the Commission’s continued scrutiny of information security and operational resiliency at registrants and the risks posed by third-party service providers, as well as new attention to artificial intelligence and other forms of so-called emerging financial technology.
- Information Security and Operational Resiliency: EXAMS stated that “[o]perational disruption risks remain elevated due to the proliferation of cybersecurity attacks,” among other factors. Accordingly, cybersecurity remains a “perennial focus area” for registrant examinations, and EXAMS will continue to review registrants’ practices to protect “mission-critical” services and to protect investor data and assets. The Division will additionally focus on registrants’ policies and procedures, internal controls, oversight of third-party vendors, governance practices, and responses to cyber-related incidents, including those related to ransomware attacks.
- Reg S-ID Policies and Procedures: In connection with such exams, EXAMS will consider staff training regarding Regulation S-ID (the Identity Theft Red Flags Rule) and the adequacy of policies and procedures to protect customer records and information.
- Firmwide Cybersecurity Across Branch Offices:Because many registrants have a main office and multiple other offices, EXAMS will continue to look at practices to prevent account intrusions and safeguard customer records and information (such as personally identifiable information) across multiple offices.
- Vendor Risk Management:EXAMS will continue to review vendor and third-party cybersecurity risk management, considering several different topics, including: the cybersecurity risks posed by third-party vendors; the security and integrity of vendor products and services; how registrants identify and assess vendor-related risks to essential business operations; and the unauthorized use of such providers. Consistent with its policy mandate, the Division will examine the concentration risk associated with third-party vendors, including how registrants are managing this risk and the potential U.S. securities marketplace impact.
- Artificial Intelligence:In the context of crypto assets and emerging financial technology products (“fintech”), the Division will continue to examine new products and services and sales practices with an emphasis on technological compliance and marketing features for online accounts. In this context, the Division “remains focused on certain services, including automated investment tools, artificial intelligence, and trading algorithms or platforms, and the risks associated with the use of emerging technologies and alternative sources of data.”
Takeaways
The continued focus in the 2024 Priorities on cybersecurity issues suggests that the Staff expects firms to continue demonstrating proactive efforts to reduce both the frequency and magnitude of cybersecurity incidents.
In previous posts regarding the SEC’s cybersecurity priorities (including here and here), we identified multiple takeaways for firms based on SEC enforcement actions and guidance. These included: (1) Close Out Major Issues, (2) Prepare for the Need to Respond to and Recover from Ransomware, (3) Support and Document Senior-Level Engagement, (4) Perform Tabletop Exercises, (5) Provide Role-Based Employee Training, (6) Take Steps to Mitigate Risks from Credential Stuffing, (7) Enhance Programmatic Vendor Management, (8) Adhere to Cybersecurity Plans and Policies, (9) Revisit and Enhance Disclosure Controls, Where Necessary, and (10) Prepare for Supply-Chain and other Vendor Attacks.
The 2024 Priorities underscore the importance of these same measures, to the extent not already addressed, and they suggest firms should also consider the following:
- Revisit Business Continuity and Resiliency Preparations. Firms should consider whether there are additional steps that they can and should take to prepare for, and minimize the impact of, business disruptions caused by cybersecurity incidents. Given the evolving tactics of threat actors, who often work to compromise the viability of recovery options in the course of executing an attack, various backup strategies may be less resilient and less helpful than anticipated in the event of a live incident. Steps to consider therefore include re-assessing the timeliness, security, and availability of backups, as well as the availability of fail-over systems that could be used to continue or restore operations, if needed.
- Reconsider Identity Theft Prevention Program Design and Implementation. In light of the Staff’s continued focus on firms’ safeguarding and Reg S-ID obligations, firms should consider whether they have in place written policies and procedures reasonably designed to detect and address red flags of identity theft. They also should consider whether they conduct effective and appropriate training for employees to support the firm’s compliance with obligations regarding customer accounts and information.
- Analyze Differences Between and Among Branches and Home Offices. Firms should consider whether there are significant differences between the application of their cyber- and information-security policies, procedures, and controls between and among their various branches and offices. Any such differences should be examined carefully to ensure they are reasonable in light of the circumstances, and (if necessary) remediated.
- Vendor Risk Management. Firms should consider the design and effectiveness of their third-party and vendor risk management programs. Among other risk areas to consider, firms should contemplate both (a) the risk of supply-chain and hub-and-spoke attack strategies, through which threat actors seek to compromise firm environments by taking advantage of third-party and vendor connectivity, and (b) the risk to sensitive or strategically important information held by third parties and vendors. Firms also may want to revisit the extent and prioritization of vendor diligence and oversight to test for compliance with cybersecurity-related terms and conditions, as well as the adequacy of documentation and records reflecting these efforts.
To subscribe to the Data Blog, please click here.
The Debevoise Artificial Intelligence Regulatory Tracker (“DART”) is now available for clients to help them quickly assess and comply with their current and anticipated AI-related legal obligations, including municipal, state, federal, and international requirements.
The cover art used in this blog post was generated by DALL-E.