On January 7, 2019, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) announced its 2020 examination priorities. In doing so, OCIE identified certain areas of technology-related concern, and in particular, on the issue of alternative data and cybersecurity. [For a more detailed review of OCIE’s exam priorities, see the Client Alert posted on our firm’s website].

  • Alternative Data: For the first time, OCIE has publicly listed alternative data as an examination priority, stating that “examinations will focus on firms’ use of these data sets and technologies to interact with and provide services to investors, firms, and other service providers and assess the effectiveness of related compliance and control functions.”

Buy-side funds using alternative data should expect a heightened level of scrutiny from OCIE on this issue. Such entities should be ready to explain, among other things, its due diligence procedures for evaluating and vetting alternative data vendors and their techniques and contractual approaches used with such vendors, as well as protections against receipt of personally identifiable information (PII) and other potential MNPI considerations.

  • Cybersecurity: Following the SEC’s 2018 updated guidance on public company cybersecurity disclosures, information security remains a prominent focus of OCIE across its entire examination program. Specifically, OCIE stated that examinations will center on things such as “proper configuration of network storage devices, information security governance generally, and retail trading information security.” Moreover, OCIE announced that it would focus on vendor oversight practices, including cloud storage relationships, including “the controls surrounding online access and mobile application access to customer brokerage account information.” Lastly, the OCIE referenced that one of its priorities would be to examine the safeguards surrounding data disposal, specifically, the risks of retired hardware containing client information.

Expect a heightened level of scrutiny from OCIE on all of the foregoing.  Entities should review their cybersecurity practices, including their agreements with third party vendors and service providers, in anticipation of the questions OCIE is likely to ask.

  • Blockchain and Digital Currency: OCIE stated that the rapid growth of digital assets present various risks, and that it would continue to “examine SEC-registered market participants” engaged in certain cryptocurrency activities and transfer agents developing blockchain technology, among other things. For a more thorough discussion of the blockchain and digital currency-related issues outlined by OCIE, please see the post on our Blockchain and the Law blog.
Photo of Jeffrey Neuburger Jeffrey Neuburger

Jeffrey Neuburger is a partner, co-head of the Technology, Media & Telecommunications Group, a member of the Privacy & Cybersecurity Group and editor of the firm’s New Media and Technology Law blog.

Jeff’s practice focuses on technology, media and advertising-related business transactions…

Jeffrey Neuburger is a partner, co-head of the Technology, Media & Telecommunications Group, a member of the Privacy & Cybersecurity Group and editor of the firm’s New Media and Technology Law blog.

Jeff’s practice focuses on technology, media and advertising-related business transactions and counseling, including the utilization of emerging technology and distribution methods in business. For example, Jeff represents clients in online strategies associated with advertising, products, services and content commercialized on the Internet through broadband channels, mobile platforms, broadcast and cable television distribution and print publishing. He also represents many organizations in large infrastructure-related projects, such as outsourcing, technology acquisitions, cloud computing initiatives and related services agreements.

Serving as a collaborative business partner through our clients’ biggest challenges, Jeff is part of the Firm’s cross-disciplinary, cross-jurisdictional Coronavirus Response Team helping to shape the guidance and next steps for clients impacted by the pandemic.