On January 27, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission issued a statement summarizing its observations of cybersecurity and operational resiliency practices of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants (the Observations). In its introduction to the Observations, the OCIE staff notes that cybersecurity is a key priority for OCIE. Therefore, although the OCIE staff acknowledges that there is not a “one-size fits all” approach to addressing cybersecurity, it recommends that SEC registrants assess their cybersecurity practices in light of the Observations.
The recommendations of the Observations include the following:
- Governance and Risk Management. OCIE observed that the key elements of effective governance and risk management programs include: 1) senior level engagement in setting the strategy and overseeing the cybersecurity and resiliency program; 2) developing and conducting risk assessments to identify and mitigate risks; 3) adopting and implementing comprehensive policies and procedures addressing cybersecurity; 4) establishing comprehensive testing and monitoring of cybersecurity policies and procedures; 5) responding promptly to testing and monitoring results; and 6) establishing internal and external communication policies and procedures to provide timely information to the appropriate parties.
- Access Rights and Controls. OCIE observed that strategies for determining appropriate users for firm systems include: 1) understanding access needs; 2) managing and restricting users as appropriate; and 3) preventing, monitoring and investigating unauthorized access.
- Data Loss Prevention. OCIE observed the use of the following data loss prevention measures: 1) establishing a vulnerability management program; 2) establishing perimeter security and monitoring network traffic; 3) implementing systems that provide detective security; 4) establishing a patch management program; 5) inventorying hardware and software; 6) securing data through encryption software and network segmentation; 7) creating an insider threat program to identify suspicious behaviors; and 8) decommissioning and disposing hardware and software in a manner that does not create vulnerabilities.
- Mobile Security. OCIE observed that vulnerabilities related to the use of mobile devices and mobile applications may be mitigated by: 1) establishing policies and procedures for the use of mobile devices; 2) using a mobile device management application to manage a firm’s mobile device applications; 3) implementing security measures, which may include preventing printing, copying or saving information to personally owned devices and remotely clearing data and content from devices; and 4) training employees on policies and practices to protect mobile devices.
- Incident Response and Resiliency. OCIE observed that incident response plans tend to include the following: 1) developing a risk-assessed incident response plan for various scenarios and maintaining procedures on appropriate notification, escalation and communication of cybersecurity incidents; 2) addressing how to meet applicable reporting requirements; 3) assigning staff to execute specific areas of the plan; and 4) testing the plan and recovery times. In addition, OCIE observed that addressing resiliency includes: 1) identifying and prioritizing core business services; 2) determining which systems can be substituted during disruption; 3) implementing geographic separation of back-up data; 4) considering the effects of business disruptions; and 5) potentially purchasing cybersecurity insurance.
- Vendor Management. OCIE observed that proper vendor management includes: 1) conducting due diligence of vendors; 2) understanding vendor relationships and contract terms, along with the risks related to vendor outsourcing; and 3) monitoring vendor relationships to ensure that the vendor continues to meet security requirements and to be aware of changes to the vendor’s services or personnel.
- Training and Awareness. OCIE observed that sound training practices include: 1) training staff to implement the firm’s policies and procedures and building a culture of cybersecurity readiness and operational resiliency; 2) providing cybersecurity examples and exercises, including phishing exercises and training on how to identify and respond to breaches and suspicious client behavior; and 3) monitoring training attendance and continuously updating trainings based on cyber-threat intelligence.
The Observations further encourage SEC registrants to: 1) monitor the SEC’s Cybersecurity Spotlight page; 2) sign up for alerts from the Cyber Infrastructure Security Agency; 3) participate in information-sharing groups such as the Financial Services Information Sharing and Analysis Center; and 4) consult the National Institute of Standards and Technology Cybersecurity Framework.
The Observations are available here.