As markets grow more global and complex, so too are the threats through cyber intrusion, denial of service attacks, manipulation, misuse by insiders and other cyber misconduct. In the United States, aspects of cybersecurity are the responsibilities of multiple government agencies, including the SEC. Cybersecurity is also a responsibility of every market participant. The SEC is committed to working with federal and local partners, market participants and others to monitor developments and effectively respond to cyber threats.
CYBERSECURITY UPDATE:
CISA and its partners are responding to active, widespread exploitation of a critical remote code execution vulnerability in Apache’s Log4j software library. Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system. For more information please visit: CISA’s Apache Log4j Vulnerability Guidance.
Get Information on Ransomware
Ransomware attacks are increasing in scale, sophistication, and frequency, victimizing governments, individuals, and private companies around the world. The Cybersecurity and Infrastructure Security Agency (CISA) has launched StopRansomware.gov a one-stop resource for individuals and organizations of all sizes to reduce their risk of ransomware attacks and improve their cybersecurity resilience. This webpage brings together tools and resources from multiple federal government agencies under one online platform. Learn more about how ransomware works, how to protect yourself, how to report an incident, and how to request technical assistance.
GETTING IN THE KNOW
Investors increasingly rely on the internet to open investment accounts, check up on their holdings and make securities transactions. The SEC provides valuable guidance, including an Investor Alert and Investor Bulletin to help investors get in the know and protect themselves from cyber threats.
KEEPING A WATCHFUL EYE
The SEC provides cybersecurity guidance to help broker-dealers, investment advisers, investment companies, exchanges, and other market participants protect their customers from cyber threats. The agency also keeps a watchful eye over market participants, including by making cybersecurity a priority of its National Exam Program.
HOLDING THEM ACCOUNTABLE
The SEC uses its civil law authority to bring cyber-related enforcement actions that protect investors, hold bad actors accountable, and deter future wrongdoing. The Division of Enforcement’s Cyber Unit was established in September 2017 and has substantial cyber-related expertise. The Cyber Unit focuses on violations involving digital assets, initial coin offerings and cryptocurrencies; cybersecurity controls at regulated entities; issuer disclosures of cybersecurity incidents and risks; trading on the basis of hacked nonpublic information; and cyber-related manipulations, such as brokerage account takeovers and market manipulations using electronic and social media platforms.
SEC Resources
- Investors
- Issuers / Public Companies
- Investment Advisers / Investment Companies
- Brokers and Dealers
- Self Regulatory Organizations
Investors
Providing Investors with Information
Investor Bulletin: Protecting Your Online Investment Accounts from Fraud
Investor Alert: Identity Theft, Data Breaches and Your Investment Accounts
Social Media and Investing: Understanding Your Accounts
Social Media and Investing: Avoiding Fraud
Issuers/Public Companies
Commission Statement and Guidance on Public Company Cybersecurity Disclosures
Investment Advisers/Investment Companies
Regulation S-ID
Subpart C - Regulation S-ID: Identity Theft Red Flags
Compliance Rules
Investment Company Act Rule 38-1
Investment Advisers Act Rule 206(4)-7
Adopting release for ICA Rule 38-1 and IAA Rule 206(4)-7 (see Section II(A)(1) of the Adopting Release, which provides additional information about issues that the policies and procedures of funds or advisers should consider, certain of which are related to cybersecurity)
Engaging Government Agencies and Industry
Cybersecurity Guidance for Investment Advisers and Registered Investment Companies
Guidance on Business Continuity Planning for Registered Investment Companies
Assessing Market Participant Readiness
OCIE August 2017 – Observations from Cybersecurity Examinations
OCIE May 2017 – Cybersecurity: Ransomware Alert
OCIE September 2015 Cybersecurity Examination Initiative
OCIE February 2015 - Risk Alert: Cybersecurity examination Sweep Summary
OCIE January 2012 - Risk Alert: Investment Adviser Use of Social Media
Brokers and Dealers
Regulation SDR
Adopting release (see pages 232-236 for explanatory text)
Regulation S-ID
Subpart C - Regulation S-ID: Identity Theft Red Flags
Market Access Rule
Rule 17a-4(f) SEC Interpretation: Electronic Storage of Broker-Dealer Records
Assessing Market Participant Readiness
OCIE August 2017 – Observations from Cybersecurity Examinations
OCIE May 2017 – Cybersecurity: Ransomware Alert
OCIE September 2015 Cybersecurity Examination Initiative
External Resources
Are You Cyber-Savvy?
Cybersecurity Quiz
News
DID YOU KNOW?
The SEC Division of Enforcement’s IT Forensics Lab hosts a highly specialized team of forensic analysts to assist in digital investigations, including cyber investigations.
Cybersecurity Risk Alerts
- Cybersecurity Risk Alert: Safeguarding Client Accounts against Credential Compromise
September 15, 2020 - Cybersecurity Risk Alert: Ransomware Alert
July 10, 2020 - Cybersecurity Risk Alert: Safeguarding Customer Records and Information in Network Storage - Use of Third Party Security Features
May 23, 2019 - Cybersecurity Risk Alert: Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P - Privacy Notices and Safeguard Policies
April 16, 2019
Email Updates
Signup for news about this topic.
Modified: Dec. 16, 2021