SEC’s OCIE Releases Cybersecurity and Resiliency Observations from Examinations

On January 27, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) announced the release of its Cybersecurity and Resiliency Observations from examinations of market participants. The publication details practices in cybersecurity and operational resiliency undertaken by SEC member firms that are recommended by OCIE.

In the press release announcing the report, Peter Driscoll, Director of OCIE, said, “Through risk-targeted examinations in all five examination program areas, OCIE has observed a number of practices used to manage and combat cyber risk and to build operational resiliency. We felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cybersecurity practices.”

OCIE Cybersecurity and Resiliency Observation Highlights

OCIE has encapsulated its cybersecurity and resiliency findings from the thousands of examinations it has conducted, and from those recommendations outlined in previous Risk Alerts. Highlights of the recorded observations focus on the following:

Governance and Risk Management

• Ensure that senior leadership is engaged with and committed to mitigating cybersecurity risk
• Include cybersecurity as a key element in business planning, aligning it with other business processes
• Assess current levels of risks, including prioritizing potential vulnerabilities and identifying potential sources of risk
• Develop and implement comprehensive written policies and procedures
• Test and monitor policies and procedures, including constant vigilance to developing threats via cyber threat intelligence
• Adapt planning as necessary, and communicate changes both internally and externally, to clients, customers, employees, decision makers, and regulators, as needed

Access Rights and Controls

• Establish and implement comprehensive controls regarding the storage of data and rights to access that information. Limit access to information based on appropriate roles
• Manage access during all phases of employment and separation, reviewing access to information periodically, and protecting access via strong password requirements and multi-factor authentication (MFA)
• Monitor access for threatening and suspicious attempts, as well as for required changes necessitated by hardware and software issues

Data Loss Prevention

• Utilize tools and processes to ensure that sensitive data, including personally identifiable information (PII), is not exfiltrated, lost, or misused
• Scan assets such as software code, databases, workstations, and more for vulnerabilities, and take preventive measures
• Monitor and control all incoming and outgoing network traffic, using firewalls, intrusion detection, email security, restrictions on external devices such as USB thumb drives, etc.
• Capture the movement of data, and especially suspicious activity, via intrusion detection systems, logging systems, etc.
• Ensure that all operating system and anti-malware software updates are applied, using a patch management system
• Identify all components and locations of hardware and software assets
• Encrypt data at rest (e.g., on hard drives, in databases) and in transit (e.g., during email transmission, in web form transmissions)
• Decommission and dispose of hardware and software assets in a secure fashion.
• Extend monitoring efforts to insider threats, ensuring detection and prevention of data loss implemented from within the organization

Mobile Security

• Establish policies and procedures related to the security of mobile devices
• Use mobile device management (MDM) software and extend its use to personal devices when used for company business
• Enforce security measures such as MFA, the ability to remotely clear data from devices, etc.
• Train staff on proper security for mobile devices

Incident Response and Resiliency

• Enhance company capabilities regarding the ability to react appropriately to security events (incident response) and ensuring the speedy resumption of company functioning following events (resiliency)
• Develop and maintain appropriate plans that include specified notification and response patterns, chains of responsibility, communication paths, and more
• Address reporting requirements in planning, including clear and detailed instructions for appropriate legal, enforcement, and regulatory reporting
• Maintain inventories of key business systems and operations, including maps of system process and services
• Assess and determine risk tolerances
• Ensure methods of resilient functioning such as physical separation of backup data, offline backups, and cybersecurity insurance
• Test and assess incident response and resiliency plans, refining them based on test results

Vendor Management

• Ensure that cybersecurity is monitored and overseen in relation to work with and practices at third-party service providers
• Establish a vendor management program to ensure that safeguards and security programming is implemented
• Use due diligence, including questionnaires based on industry standards and security principles
• Carefully establish contractual obligations that cover necessary security terms
• Monitor and test vendors, maintaining awareness of new developments at third-party service providers
• Establish secure procedures for changing vendors, including those that are cloud-based

Training and Awareness

• Consistently provide staff with awareness of their roles and responsibilities regarding cybersecurity, including methods of detecting and responding to suspicious events
• Build a culture of cybersecurity awareness and readiness, including training methods that engage staff with practical situations and exercises
• Ensure awareness, understanding, and acceptance of policies and procedures related to cybersecurity
• Continually monitor training efforts, improving them based on results and the current cybersecurity environment

ACA Aponix Guidance

OCIE’s Cybersecurity and Resiliency Observations provides an extensive and far-reaching blueprint for SEC-registered firms to both establish and maintain sound cybersecurity policies and procedures. While serving to help firms protect themselves from cyber and operational risk, firms should likewise consider these observations as warnings – the OCIE is in effect is saying these are things they expect to see during their examinations of SEC-registered investment advisers, investment companies, broker-dealers, self-regulatory organizations, clearing agencies, transfer agents, and others.

How We Help

ACA Aponix offers the following services that can help your firm develop and implement a comprehensive cybersecurity program in light of the SEC OCIE’s Cybersecurity and Resiliency Observations:

• Cybersecurity and technology risk assessments
• Policies, procedures, and governance
• Cyber incident response planning
• Vendor diligence and management
• Phishing testing and cyber awareness training
• Penetration testing and vulnerability assessments
• Mock regulatory cyber exams
• Threat intelligence
• Microsoft^® Office 365^® security assessments
• CCPA and other data privacy gap assessments and advisory services

Please contact us to learn how we can help your company.

Contact Us

For More Information

If you have any questions, please contact your ACA Aponix consultant or email us at info@acaaponix.com.