The 2016 lists are starting to be released by regulatory agencies in the United States, giving a heads' up to covered entities as to what compliance issues will take front and center this year. Once again, the Office of Compliance Inspection (OCIE) of the US Securities & Exchange Commission (SEC) has put cybersecurity on the top of its examination priorities. OCIE is responsible for conducting examinations of the entities required to be registered under various SEC regulations, including broker-dealers, transfer agents, investment advisers, and investment companies.
In September of 2015, the OCIE announced a second round of examinations of broker-dealer and investment adviser cybersecurity compliance and controls. The 2016 priorities include "advancing these efforts" and, according to the OCIE release yesterday, will also include testing and assessment of firms' implementation of procedures and controls.
It is imperative that registered adviser firms ramp up their cybersecurity compliance game in 2016 and include mock OCIE examinations and mock data breaches as part of their compliance testing. We expect that increased inspections will be coupled with increased fines and penalties. Just after issuance of the Risk Alert in September, the SEC censured and fined a St. Louis-based investment advisor for a failure to adopt written policies and procedures to ensure the confidentiality of personal information as required by law. According to the SEC, that failure led to a breach of the personal information of 100,000 investors held by R.T. Jones Capital Equities Management and led to a $75,000 fine.
The Mintz Privacy team presented a timely webinar in September -- "Another Cop on the Cybersecurity Beat: What to do Before and After the SEC and FINRA Come Knocking." If you missed it, take some time and view the recording available here to get your 2016 compliance playbook inspection-ready.