SEC Announces Initiative to Fight Cyber Threats and Protect Retail Investors

On October 26, 2017, Stephanie Avakian, Co-Director of the SEC’s Enforcement Division, gave a speech which discussed the Commission’s initiative related to retail investor protection and cybersecurity. The speech gave an overview of how the SEC is allocating resources to further address two of its more critical priorities, protecting retail investors and combatting cyber threats.

The SEC continually focuses on protecting retail investors, because they are the most vulnerable. According to Avakian, the SEC will also remain focused on cyber-related issues.  To align the SEC’s resources with those two key priorities, the Commission created the Retail Strategy Task Force and a Cyber Unit.

The Retail Strategy Task Force

The Retail Strategy Task Force’s goal is to identify widespread misconduct by analyzing the many ways that retail investors intersect with the securities markets. The Task Force will identify strategies, such as data analytics and technology, which have been successful in other cases where misconduct has occurred.

The Task Force will work with others in Enforcement and in the Agency, such as the Office of Market Intelligence, the Center for Risk and Quantitative Analytics, and the Division of Economic and Risk Analysis. The Task Force will also work closely with the Office of Compliance Inspections and Examinations (“OCIE”) along with investigators from across the Enforcement Division.

Avakian cited a number of areas where there has been widespread misconduct such as:

  • Charging inadequately disclosed fees;
  • Recommending and trading in wholly unsuitable strategies and products;
  • Investment professionals steering  customers to mutual fund share classes with higher fees when lower-fee share classes are available; and
  • Wrap-fee account abuses such as not disclosing the additional costs of trading away, trading through unaffiliated brokers, or purchasing alternative products that charge additional fees.

The Task Force will also focus on protecting investors who are buying and holding inappropriate products, such as inverse exchange-traded funds, for long-term investment in retirement accounts. In addition, it will look closely at the sale of structured products to retail investors and abusive practices like churning and excessive trading.

Cyber Unit

The Cyber Unit arose in response to the frequency of cyber-related misconduct affecting the securities markets. The SEC determined it was critical to have a group of people who are specifically focused on dealing with cyber threats. Furthermore, to facilitate enforcement, the SEC needed a consistent, well-informed, and measured approach. The SEC decided that a dedicated Cyber Unit would help the Commission achieve those objectives.

Avakian discussed three types of cases that are of particular interest to enforcement:

  1. Cyber-related misconduct used to gain an unlawful market advantage;
  2. Failures by registered entities to take appropriate steps to safeguard information or ensure system integrity; and
  3. Failure to provide meaningful and timely disclosures regarding cyber risks and incidents.

The SEC has adopted rules, such as Regulations S-P, S-ID, and SCI, which require registered entities to have reasonable safeguards in place to address cyber threats. Although these rules are risk-based and flexible, they require firms to understand the risks they are facing and to take reasonable steps to address them.

“The SEC is responding to the increasingly dangerous cyber threat landscape we are witnessing in 2017.  Although we can expect more regulation and enforcement cases related to cybersecurity, firms will have far less exposure if they adopt and maintain an appropriate information security program,” noted Eric Hess, Managing Partner of HLC, who provides a full spectrum of cybersecurity services to financial firms.  Hess continued, “Firms that have under-resourced this problem are inevitably going to find themselves under the microscope and should consider bringing in an experienced cybersecurity firm to determine where their greatest information security gaps are.”

NCS Regulatory Compliance works with HLC to deliver cybersecurity assessments and ongoing cybersecurity management services that help firms deal with cyber threats and fulfill their regulatory obligations pertaining to cybersecurity. For more information, visit http://www.ncsregcomp.com/consulting/cybersecurity-assessments/ or contact 800-800-3204.

Conclusion

Avakian’s speech warned that the SEC’s initiative does not mean the Commission is allocating fewer resources to fighting financial fraud or policing Wall Street. According to Avakian, it is a false premise to state that there is a trade-off between “Wall Street” and “Main Street” enforcement.

When it comes to cybersecurity, firms should also avoid making trade-offs. Securities regulators expect firms to implement robust and meaningful information security programs. The failure to meet their expectations increases the risk of an enforcement action and exposes clients to a cyber attack. There should be no trade-offs when it comes to protecting your firm’s clients.

Avakian’s discussion of the SEC’s initiative can be found at https://www.sec.gov/news/speech/speech-avakian-2017-10-26.

Les Abromovitz