SEC to Conduct Second Phase of Cybersecurity Sweep

After completing a sweep of 100 firms focusing on preparedness concerning cybersecurity in 2014 and subsequently releasing their summary findings in February 2015, the SEC is poised to begin a second phase of their cybersecurity initiative this summer. This is in line with the 2015 exam priorities that included a continued focus on cybersecurity.


After completing a sweep of 100 firms focusing on preparedness concerning cybersecurity in 2014 and subsequently releasing their summary findings in February 2015, the SEC is poised to begin a second phase of their cybersecurity initiative this summer. This is in line with the 2015 exam priorities that included a continued focus on cybersecurity.

On March 9, 2015, in an interview with the compliance publication IA Watch, Jane Jarcho, OCIE’s national associate director of the Investment Adviser/Investment Company exam program, described the current thinking behind its “phase 2” initiative around cybersecurity. Ms. Jarcho explained that the next phase will begin this summer or early in 2016 and will include about the same number of firms being contacted. One major difference with this second phase is that, unlike the first sweep conducted, these exams will be onsite visits. Ms. Jarcho said that examiners will dig deeply into a few cyber related topics during these visits.

“It’s still in flux exactly what we’ll be doing” in phase 2, Jarcho said. But Jarcho did indicate that likely areas of inquiry would include what response plans firms have for a cyber breach or attack; due diligence of vendors’ cyber policies and procedures; and what role senior management and boards play in approving a firm’s cybersecurity policies and procedures. Phase 2 will be a nationwide effort and will more than likely be influenced by the “more notorious breaches” reported in the press, she added.

While there are currently no rules dictated by OCIE with respect to a firm’s approach to cybersecurity, there are resources that many firms are referring to while creating and adopting cyber related policies and procedures. These include the National Institute of Standards and Technology framework and the Federal Financial Institutions Examination Council guidance.

Increasingly, civil actions and class-action suits related to cyber-security threats are being filed. In a recent decision, rendered on March 13, 2015, a federal judge dismissed two data-breach class action cases filed by plaintiffs whose personal information was hacked from a payroll company. These individuals were consequently at an increased risk of identity theft. However, Judge John Jones III found because no actual identity-theft-related crimes occurred as a result of the breach, there was no compensable injury and it does not suffice to allege an imminent injury. The defendants were lucky in this instance but, in most cases, there will be injury involved and consequently, in addition to an SEC inquiry, fund managers may be exposed to civil actions.

SEC3 can assist your firm in creating, implementing and maintaining your cybersecurity policies and procedures. For further information, please contact your SEC3 representative or contact us at info@seccc.com.