On Feb. 7, 2023 the Securities and Exchange Commission (SEC) Division of Examinations released its 2023 exam priorities, which included notable highlights such as:
- Compliance with recently adopted rules under the Investment Advisers Act of 1940 and Invest Company Act of 1940.
- Registered invest advisers to private funds.
- Standards of conducts: Regulation Best Interest, fiduciary duty and Form CRS.
However, there were two areas within this year’s SEC exam priorities which, while not new, highlighted the significant potential for regulatory risk faced by firms today: cybersecurity or information security and cryptocurrency.
2023 SEC exam priorities: Highlighting the regulatory risk of information security and crypto assets
The inclusions of these priorities should come as no surprise given the SEC’s focus on both regulatory risk points over the past 12 months. In fact, the SEC has proposed new rulings for SEC-registered investment firms which encompass both of these risk areas, continuing to push for more regulation regarding cryptocurrency and increased disclosure requirements should a cyber-attack occur. Despite some of the negative response to these new rulings, the SEC continues to advocate for the necessity to protect consumers and the market at large from the significant impact which can result from both cryptocurrency and information security.
On information security and operational resilience, the Division stated, “The current risk environment related to cybersecurity is considered elevated given the larger market events, geopolitical concerns, and the proliferation of cybersecurity attacks, particularly ransomware attacks. Given these risks and concerns, cybersecurity remains a perennial focus area for registrants, including RIAs, broker-dealers, investment companies, municipal advisors, transfer agents, exchanges and clearing agencies.”
In regard to crypto assets and emerging financial technology, the Division stated, “The Division continues to observe the proliferation of certain types of investments (e.g., crypto assets and their associated products and services) and emerging financial technology (e.g., broker-dealer mobile apps and RIAs choosing to provide automated digital investment advice to their clients). To address these observations, the Division will conduct examinations of broker-dealers and RIAs offering new products and services or employing new practices. These new practices include technological and on-line solutions to meet the demands of compliance and marketing and to service investor accounts (e.g., on-line brokerage services, internet advisers, and automated investment tools and trading platforms, including RIAs referred to as “robo-advisers”).
Given the disruptions caused by recent financial distress among crypto asset market participants, the Division will continue to monitor and, when appropriate, conduct examinations of potentially impacted or affected registrants. Examinations of registrants will focus on the offer, sale, or recommendation of, advice regarding and trading in crypto or crypto-related assets.”
The SEC has made it clear, for those SEC-registered firms, cryptocurrency and cybersecurity are and will likely remain a top concern for the foreseeable future. As increased regulations create heightened requirements, chief compliance officers (CCO) and compliance professionals would be well advised to proactively assess their compliance programs efficacy within these areas.