The Securities and Exchange Commission’s creation of its Cyber Unit, coupled with an uptick in exams and the relentless onslaught of cyber intrusion attempts, should put broker-dealers and investment advisors on notice that regulators are training their sights on policies, practices and people.

“I’m aware of exams that are going on by both the SEC and Finra, and I think it’s just a matter of time before enforcement referrals are made,” said Brian L. Rubin, a partner with Eversheds Sutherland, which recently published a new legal alert: “SEC and States Are Upping Their Cyber Game, Are You Doing the Same?”

With the creation of the Cyber Unit, the SEC is beefing up its technical expertise and demonstrating that it too will evolve and adapt as cybersecurity threats become more advanced. The agency is making it increasingly clear that it expects those it regulates to up their games as well.

The unit will function as part of the SEC’s Enforcement Division to target misconduct in six cyber-related priority areas:

• Market manipulation schemes involving false information spread through electronic and social media;

• Hacking to obtain material nonpublic information;

• Violations involving distributed ledger technology and initial coin offerings;

• Misconduct perpetrated using the dark web;

• Intrusions into retail brokerage accounts; and

• Cyber-related threats to trading platforms and other critical market infrastructure.

Last year, the SEC fined Morgan Stanley $1 million for failure to protect information in 730,000 client accounts, which were first stolen by an employee and transferred to a personal server and then hacked and offered for sale online. The SEC alleged that the firm violated the “Safeguards Rule” over a four-year span by failing to adopt written policies and procedures to ensure the security of clients’ personally identifiable information.

The case shines light on what the SEC expects from firms when it comes to their internal web applications and portals that give employees access to customers’ confidential account information.

To try to avoid future enforcement actions, broker-dealers and investment advisors should focus on establishing and implementing written, proactive cybersecurity policies that are regularly updated to account for the latest hacker tactics and techniques.

Examiners are also looking at employee training and vendor relationships, Rubin said, adding that firms should have policies that show they’re actively training their employees and registered persons to try to ensure that each person understands her role and responsibility with regard to cybersecurity. Firms are also responsible for knowing what kind of cybersecurity system their vendors have.

State regulators have already found nearly 700 deficiencies during exams of 1,200 state-level investment advisors—in the first year state regulators reported on cybersecurity incidents.

The North American Securities Administrators Association (NASAA) used the data to generate a list of cybersecurity best practices for investment advisors: prepare and maintain records by backing them up; maintain client information; revise Form ADV and disclosure brochures; implement safeguards through cybersecurity policies and measures; and prepare a written compliance and supervisory procedures manual.

NASAA found policies and procedures to be adequate when firms require and enforce frequent password changes, lock devices, report lost devices, and create specific roles and responsibilities for people to frequently assess these requirements.

To minimize threats posed by data breaches, NASAA recommends that firms routinely back up devices and store the underlying data in a separate, remote location. And they should regularly test backup procedures to ensure their suitability. Similarly, firms should consider whether e-mail communications should be sent securely, especially where they involve identifiable information regarding a client.