SEC reports cybersecurity and resiliency observations

Agency Rule-Making & Guidance SEC Privacy/Cyber Risk & Data Security Securities Supervision Risk Management

On January 27, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced the release of a report entitled Cybersecurity and Resiliency Observations, compiled from an assessment of prior examinations. The report provides best practices for regulated entities to increase readiness and awareness related to cybersecurity. Echoing themes from the OCIE’s risk-based exam priorities, previously covered by InfoBytes here, the report also emphasizes risk management. Some of the highlights of the report include:

• Governance and Risk Management. OCIE lists senior level engagement as an important factor in an effective cybersecurity program. Also important is a thorough program risk assessment as well as the application of policies and procedures based on the assessment. Additionally, the cybersecurity program should continuously evolve, and provide for constant testing and monitoring.
• Access Rights and Controls. OCIE emphasizes the need for controls to limit access to certain data only to authorized users. Organizations should set out policies and procedures to monitor for unauthorized users, require periodic password changes for users, and review systems for changes that are not approved.
• Data Loss Prevention. Many firms protect sensitive data by using vulnerability scanning as well as perimeter security to monitor network traffic. Firms may utilize technology that can monitor for and detect network threats and insider threats. Also, encrypting data as it moves into and out of the network, and segmenting data for use only by authorized systems are key data loss prevention measures.
• Mobile Security. Firms that use mobile devices and applications may require enhanced security policies including the use of multi-factor authentication, limiting firm information that can be extracted from devices, and enabling the firm to remotely clear content when devices are lost or stolen. Training is also an important practice.
• Incidence Response and Resiliency. Effective risk-based incident response plans developed by firms focus on detection and corrective actions. The plans include business continuity as well as regular testing and reassessment of the plan.
• Vendor Management. OCIE promotes proper due diligence of vendors as well as effective management of vendors including monitoring and testing to ensure security requirements are continually met.
• Training and Awareness. OCIE notes that many firms incorporate effective policies and procedures into training, periodically re-evaluate training programs, and ensure employee participation.