The Covid-19 pandemic and its impact on “market events” will help set a path for priorities for the Securities and Exchange Commission’s new Event and Emerging Risk Examination Team. Marc Gilman, general counsel at Theta Lake, says the EERT could turn to remote work, Reg BI, and cybersecurity issues.
The SEC recently created a new Event and Emerging Risk Examination Team as part of its Office of Compliance Inspections and Examinations to “proactively engage with financial firms about emerging threats and current market events.” To call the creation of the EERT “timely” would be an understatement.
Given that the pandemic has created a kind of persistent “market event,” there would appear to be a broad range of issues where the EERT might deploy its expertise. With a multitude of converging stresses arising from the Covid-19 crisis including market gyrations, physical displacement, and an increase in fraudulent phishing and hacking activity, the need for an expert team to provide rapid, specialized support is welcome.
The specifics of the EERT’s priorities and their method of engagement have not been disclosed, but recent OCIE risk alerts, news items, and supporting materials can provide an outline. No doubt the ongoing ramifications of the pandemic will influence the EERT’s priorities in the near term.
Areas of Potential EERT Involvement
Based on an Aug. 12 alert, “Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers,” one area where OCIE is generally focused is on the supervision of business activities in the remote work environment. There are several supervisory areas where the EERT’s support could be leveraged, including on the adequacy of remote oversight procedures, the monitoring of communications and transactions, and the limitations of on-site diligence reviews in work from home scenarios.
The multitude of collaboration tools being leveraged by SEC member firms present new and unique supervisory challenges. Dynamic screen sharing, web cam, whiteboarding, and other visual capabilities increase the risk that account details, personal information, and MNPI could be intentionally or inadvertently shared. The EERT may be tasked with examining the policies, procedures and supporting technologies firms are using to ensure these platforms are being used appropriately.
From a conduct perspective, the EERT might focus on issues related to Regulation Best Interest, particularly given apparent challenges conforming to the formatting and content requirements of Form CRS. As firms develop the compliance and disclosure components of their Reg BI strategies, the EERT may investigate those as well.
Reg BI implementation has not paused despite Covid-19 disruptions, so additional EERT efforts may supplement those of OCIE.
Business Continuity Plans
Of course, given the invocation of business continuity plans as part of pandemic response, it seems natural that the EERT would analyze firms’ maintenance and execution of these protocols.
In the August alert, the SEC noted that firms’ “normal operating conditions” may need a refresh as business practices initially modified as part of a BCP response may now be routine protocols given the persistent nature of the pandemic work conditions.
As discussed in the SEC’s EERT announcement, cybersecurity will be an important focus for the team. It was mentioned in the August alert and, importantly, was also the subject of a January report on cybersecurity and resiliency observations.
The August alert broadly discusses the protection of sensitive information, including system access, safeguarding customer data, and management of vendors and third-parties—each of these topics are good candidates for the EERT’s docket.
Additionally, OCIE released a cybersecurity alert on ransomware in July, reinforcing the need for additional awareness training, strengthening perimeter security, and disciplined vulnerability management practices.
On a related note, FINRA has highlighted cybersecurity risks in recent months, releasing regulatory notice 20-27 regarding the use of fake FINRA domain names and regulatory notice 20-30 about the proliferation of imposter websites.
Reading these alerts and notices together evidences the need for vigilance on cybersecurity issues and the EERT’s certain coverage of this area.
OCIE Inspection, Examination Activity
OCIE has not paused its routine inspection and examination activities in light of the pandemic, starting on the SEC’s coronavirus (Covid-19) response page that it “remains fully operational nationwide and, with adjustments to take into account health and safety measures” and “continues to execute on its investor protection mission.”
In terms of the mode of engagement, the SEC’s response page offers clues noting of the OCIE generally that “in light of health and safety concerns and other circumstances, OCIE has moved to conducting examinations off-site through correspondence, unless it is absolutely necessary to be on-site.”
Firms can expect EERT to engage similarly—through correspondence and, only in exceptional cases, on-site. Although unsaid, it seems that the EERT will leverage collaboration tools like Zoom, Cisco Webex, and Microsoft Teams for communication purposes, given their ability to facilitate quick and effective sharing of information and allow the EERT to supplement written correspondence with deeper conversations while complying with social distancing mandates.
The next few months will no doubt be busy ones for the EERT. Their background and capabilities should give comfort to those in the industry concerned with the protection of investors, management of market stability, and supervision of the conduct of its member firms during these difficult and strange times.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Marc Gilman is general counsel and vice president of compliance at Theta Lake. He is also an adjunct professor at Fordham University School of Law. Follow him on Twitter: @marcwiki.