In the wake of recent major cyber security breaches at retailers and banks, the SEC held a cyber security roundtable meeting in March to discuss the current data breach climate and how financial advisors and firms can protect themselves from cyber attacks. Speakers at the event emphasized that financial institutions of all sizes face daily threats, with top risks identified as operational risks, employee theft and hackers. Steps for addressing inadequate cyber security and reducing potential vulnerabilities were discussed. The long and short of it? Due to increased cyber risk threats to the financial sector, the SEC is making data security a priority in 2014.

SEC Disclosure Guidance: A History
The SEC initially provided Disclosure Guidance related to cyber security in October 2011. The viewpoint was that federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. It was conceded that no existing disclosure requirement explicitly referred to cyber security risks and cyber incidents, but a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. 

The SEC further recognized that registrants had migrated toward increasing dependence on digital technologies to conduct their operations, which led to more frequent and severe cyber incidents. These incidents open up registrants to a variety of liabilities, including liability for remediation costs resulting from stolen assets or information; repairing system damage; increased cyber security protection costs; lost revenue resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack; litigation; and reputational damage adversely affecting customer or investor confidence. The 2011 Disclosure Guidance also provided a framework for how and when how a registrant should disclose the risks of a cyber attack and its consequences.

Fast forward to 2014: current updates from the SEC's Office of Compliance Inspections and Examinations (OCIE) indicate that OCIE is exploring ways to test the preparedness of investment advisors and investment companies related to cyber security issues. In preparation for such tests, financial firms and advisors should consider a number of measures to reduce cyber security risks.