The US Securities and Exchange Commission (SEC) is expected to launch “phase two” of its cybersecurity sweep this summer, maybe October at the latest, said SEC director Jane Jarcho during a speech at the Investment Adviser Association’s annual compliance conference in Virginia last week.
The exams are expected to target the same amount of registrants as phase one, which included 57 registered broker-dealers and 49 registered investment advisers, seven of which were private fund managers. However, the exams will be onsite and go more “in-depth” into a few unspecified cybersecurity areas.
Like phase one, the commission will publicly release a document listing what questions it will focus on ahead of the onsite exams, according to an IA Watch interview with Jarcho on Monday.
In February, the commission gave registered advisers mixed scores on their cybersecurity readiness.
The vast majority of registered investment advisers now have written information security policies in place, but significantly less conduct periodic risk assessments on third-party vendors with access to their firms’ networks, the commission said after releasing its phase one findings.
The SEC concluded that a majority of advisers have implemented basic cybersecurity strategies – such as including a cyberattack as part of their business continuity planning – but that few firms were reporting fraudulent emails to the Financial Crimes Enforcement Network and following other advanced cybersecurity best practices.
For an in-depth report into how firms are protecting themselves from digital attacks –and where cybersecurity vulnerabilities still exist – see the February cover story of pfm.