OCIE has now issued examination observations related to cybersecurity and operational resiliency practices taken by investment advisers and other market participants. With examples, the observations included governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. Members are encouraged to incorporate these observations in their cybersecurity assessments. A copy of the examination guidance can be found here.
OCIE has announced its 2020 exam priorities as part of its risk-based approach to protecting investors. As in the past, key risk areas that are prioritized impacting SROs, clearing firms, investment advisers and other market participants include:
- Retail Investors, Including Seniors and Those Saving for Retirement
- Market Infrastructure related to capital markets, including clearing agencies, national securities exchanges, alternative trading systems and transfer agents
- Cyber and information security risks
- Examining RIAs, including investment companies, ETFs, private funds that have never been examined, including new RIAs and RIAs never examined and oversight practices of their boards of directors
- AML requirements
Fintech and innovation, including digital assets and electronic advice
- Oversight of FINRA and MSRB operations, programs and their examinations of broker-dealers and municipal advisors
OCIE makes clear that the above risk areas is not exhaustive and will be dependent on risk-based approaches employed by OCIE and its staff. A copy of the 2020 exam priorities can be found here.