SEC Maintains Information Security and Operational Resilience Focus in 2022

Publish Date


Cyber Alert

  • Cybersecurity
  • Cybersecurity Resources

The U.S. Securities and Exchange Commission (“SEC") Division of Examinations ("the Division") released their annual Exam Priorities for fiscal year (FY) 2022 on March 30, 2022.    

Information security and operational resilience continue to be top priorities, however what the Division of Examinations wants from firms has remained relatively unchanged since 2021. The Division is still looking for firms who have taken the appropriate measures to safeguard consumer data, oversee their third-party providers, address malicious incidents, respond to these incidents, and manage operational risk. Firms will also be assessed on their compliance with Regulation S-P and S-ID, where applicable. 

The Division will continue to review the operational resilience practices of broker dealers and registered investment advisors and their ability to prevent interruptions to critical services and protect investors’ data, including investor information, records, and assets. Moreover, business continuity and disaster recovery plans will continue to be assessed for the firm's ability to anticipate, respond to, and adapt to climate-related events.  

Our guidance 

The SEC’s 2022 Exam priorities are largely similar to their 2021 priorities. Therefore, examinations in 2022 should be expected to be relatively akin to 2021. Firms' preparations for information security and operational resilience exams can remain the same.  

However, despite the minimal change in exam priorities, the SEC has recently passed cybersecurity proposals that may significantly change how firms implement and maintain their security program.

The SEC voted on February 9, 2022, to propose Rule 206(4)-9, which that requires firms to implement, document, and report their security controls and procedures. Firms should monitor the progress of this rule to determine how it will impact them.


Continued learning

  • Navigating Uncertainty: Risk Management and the Regulatory Agenda
    Join us April 26 - 28 for ACA's Virtual Annual Conference where we’ll explore what regulatory priorities, emerging risks, and industry trends await compliance and risk professionals and how to navigate the changes ahead while moving forward with confidence. Register here.
  • Regulatory Headwinds Webcast Series
    ACA will be hosting a series of fireside chats and webcasts surrounding the SEC's Priorities and recent rule proposals. See what's coming up next on our webcast calendar here.

How we help

We offer a number of assessments that can help firms meet the requirements laid out in the SEC’s 2022 priorities, including mock regulatory cyber exams, risk assessments and testing, and penetration testing and vulnerability assessments. We also provide business continuity planning development and implementation assistance designed to help your firm address operational risks in the event of disruption. 

If and when Rule 206(4)-9 is implemented, we can help firms prepare for examinations that could focus on the details of the firm's cybersecurity policies and procedures, as well as potentially 5 years of books and records around cybersecurity. Learn more about our solutions here.

For questions about this alert, or to find out how ACA can help you meet your regulatory cybersecurity obligations, please reach out to your consultant or contact us.