As we predicted in our Connect on Tech discussion in March, the U.S. Securities and Exchange Commission (“SEC”) is ramping up its examination and enforcement focus on cybersecurity at financial institutions, including scrutiny on actual implementation and deployment of published procedures in response to discovery of cyber breach incidents. Furthermore, the SEC appears to signal its expectation that multi-factor authentication ("MFA") for email accounts containing sensitive client and customer information should be in place. We further address three SEC orders issued yesterday in this article.
Deploy MFA for Firm Email Accounts: The SEC did not specifically say that Regulation S-P requires MFA in all cases, but made clear its expectations that firms should have MFA in place (particularly once aware of the email account takeovers), as it is a reasonable approach to thwart phishing, credential stuffing, and other modes of attack. Firms should take steps to assess MFA requirements to protect sensitive client and customer information.