SEC stands for Business: Tackling Financial Institutions’ Complacency with Security Practices



The U.S. Securities and Exchange Commission (SEC) sends clear message to all of its regulated companies. Gone are the days of complacency, shoddy tracking, and minimal investment in cybersecurity compliance programs.

Governments (federal and local) and businesses recognize that they are facing a wave of increasingly sophisticated and damaging cybersecurity attacks that threaten sensitive United States data and infrastructure. In May of this year, the Biden administration issued an executive order to implement measures to dramatically improve the country’s cybersecurity protections for vital infrastructure. The order is a call for federal agencies to improve security standards and raise their cybersecurity performance goals.

The SEC has stepped up its own review and enforcement efforts. The committee considers that cyber risk jeopardizes the finances and the future of companies and compromises the ability of public investors to make sufficiently informed and judicious investment decisions. As evidenced by charges against eight brokers / traders and investment advisers for security breaches from June to August 2021, the SEC is improving its game by overseeing and enforcing cybersecurity standards to penalize those who are complacent in their security practices. . Brokers / dealers and investment advisers would be wise to understand and resolve the failures that prompted the SEC quotes.

Violate disclosure and safeguard rules

In August 2021, the named companies agreed to pay fines totaling $ 750,000 to resolve actions resulting from incidents leading to the exposure of personal identity information (PII) to thousands of people. customers via email account takeovers. Essentially, these companies broke the Backup rule, which requires brokers / dealers, investment firms and advisers to develop a written security plan with policies and procedures to protect client records and information.

The nature of the breaches committed by the companies targeted by the SEC focused on their inability to protect accounts in accordance with their own company policies or their inability to adopt adequate protection programs. Additionally, there have been failures in adopting and implementing company-wide improvements to security measures for cloud-based email accounts in a timely manner after a breach. In one case, the time interval was three years from the discovery of the first breach.

Perhaps most worrying was a pattern of deceptive and falsified communications by third parties regarding cyber events and the lack of timeliness of notification regarding when the breach occurred. SEC investigators also identified a significant disconnect between those responsible for reporting cyber events and senior executives, with executives at the highest levels often being uninformed about risky incidents.

Based on these SEC actions, it is fair to expect that these defaults will attract more enforcement action from the SEC:

  • Failure to adopt a written cybersecurity plan with clear policies and procedures
  • Failure to comply with the company’s security plan in place in the event of a cyber breach
  • Failure to improve cybersecurity policies and practices quickly after a breach
  • Failure to fully disclose a cyber event to all required parties promptly with accurate information

Avoid the sting of SEC surveillance by ensuring high-level compliance

The SEC is ringing the bell that inadequate cybersecurity controls and practices will no longer be tolerated. Businesses need to face the situation and prioritize cybersecurity measures within their budget and in the boardroom, as the days of minimal investments and ‘getting by’ are over.

Building a robust cybersecurity framework should be a must for every business. The only thing worse than not having a comprehensive security policy is having one that is ineffective or not followed. The corporate culture, which begins at the highest level and reverberates throughout the company, must aim for excellence. Companies that achieve a high level of compliance have generally developed a culture of excellence in other areas as well. As the cyber threat landscape expands daily, the nature of cybersecurity compliance must include a combination of advanced technologies, procedures and best practice policies that provide maximum protection.

Framework for developing strong cybersecurity compliance

  • Create a disclosure committee with high level directors and employees; perform quarterly reviews to identify anomalies and share findings with the board and senior management
  • Integrate advanced Identity Access Management (IAM) tools, zero trust architecture and multi-factor authentication technology
  • Create more visible processes with vulnerability management tools and platforms to assess digital assets, their importance and overall exposure risk
  • Provide complete and accurate descriptions of cyber incidents to third parties with timely updates of disclosures and impacts
  • Be prepared to disclose incidents before they are fully understood – don’t underestimate the nature and scope of cyber incidents
  • Conduct regularly scheduled forensic assessments of cybersecurity systems with simulated attacks and ongoing monitoring of the protection plan by the compliance team

Cybersecurity teams should use nationally recognized cybersecurity frameworks, such as those published by the National Institute of Standards and Technology (NIST). The Cybersecurity & Infrastructure Safety Agency (CISA) website also contains many useful resources for businesses.


“The bare minimum” will no longer be a cybersecurity compliance standard for brokers / traders and investment firms. While a business cannot prevent every cyber incident, the SEC will certainly look at the processes, technical safeguards, and personnel requirements that were in place before the event occurred. Companies that do not have effective policies or that do not strictly adhere to those policies are likely to see tougher enforcement actions from the SEC compared to companies that make the investments necessary to protect their data. clients.



Comments are closed.