SEC and FINRA: Sustained Focus on Cybersecurity and Cryptocurrency in 2018

By Mark Griffin and Matt White

Expect to see increased scrutiny and regulatory activity surrounding cybersecurity and cryptocurrency from both the U.S. Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA). Both have issued guidance outlining their priorities – see the SEC’s here and FINRA’s here – signaling that these key risk areas remain a growing focus for regulators.

Areas Subject to Particular Scrutiny

  • Cybersecurity: Recognizing the dramatic increase in the scope and severity of cyber threats, both the SEC and FINRA have identified cybersecurity as one of the most significant risks many firms face. Therefore, in 2018, both agencies continue to scrutinize cybersecurity programs and firms’ implementation of risk management procedures and controls (including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident responses). The agencies also continue to evaluate how firms protect sensitive information, including personally identifiable information, from both internal and external threats. FINRA also reminds firms that they must have policies and procedures in place to assess whether to file a suspicious activity report (SAR) when they identify a cybersecurity event. Both FINRA and the SEC have also expressed particular concerns regarding cybersecurity threats targeting seniors and other vulnerable investors.
  • Cryptocurrencies and Initial Coin Offerings: Significant media, public, and regulatory attention has been devoted to digital assets (such as cryptocurrencies) and initial coin offerings (ICOs) in the last year. Both the SEC and FINRA focus on protecting investors from the increased risks associated with the rapid growth of these markets. The SEC continues to monitor the sales of these products, and where they are securities, examine for regulatory compliance. Areas of the SEC’s focus includes whether adequate controls and safeguards are in place to protect these assets from theft or misappropriation, and whether investors are provided adequate disclosure about the risks associated with these investments. Similarly, FINRA continues to review the supervisory, compliance, and operational infrastructure that firms have in place to ensure compliance with relevant federal securities laws and regulations, and FINRA rules.

In addition, President Trump has recently announced the creation of a task force on market integrity and consumer fraud. The task force will include various financial industry regulators including the SEC, the Federal Reserve, the CFTC, the FDIC, and the Comptroller of Currency. Its charges include providing guidance for the investigation and prosecution of cases involving fraud on financial markets and consumers, including cyber-fraud and securities and commodities fraud, with particular attention to fraud affecting digital currency.

Firms should assess their compliance and supervisory programs in the context of these key risk areas. Firms must also evaluate their sales practices, as well as their policies and procedures with respect to these areas to ensure compliance with all applicable rules and securities laws.

If you have any questions regarding these or any other securities-related issues, or need assistance in evaluating your company’s policies and procedures, please contact the authors of this blog post or any of the attorneys in Baker Donelson’s Broker-Dealer/Registered Investment Adviser group.

Registration for Atlanta Cyber Week events, including Cybercon, is now open. Visit www.atlcyberweek.com and cybercon.us for more information.