Recognizing that there is no such thing as a “one-size fits all” approach, the SEC has published guidance to help firms in the securities market enhance their cybersecurity preparedness and operational resiliency.
Published by the Commission’s Office of Compliance Inspections and Examinations (OCIE), the “examination observations” highlight specific examples of practices and controls that organizations have taken to potentially safeguard against threats and respond in the event of an incident.
Among the areas addressed in the report include governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness.
“Through risk-targeted examinations in all five examination program areas, OCIE has observed a number of practices used to manage and combat cyber risk and to build operational resiliency,” notes OCIE Director Peter Driscoll. “We felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cybersecurity practices.”
To that end, the report strongly encourages firms, providers and vendors participating in the securities markets to appropriately assess and manage their cybersecurity risk profiles, including their operational resiliency, as cyber-threat actors are becoming more aggressive and sophisticated – and in some cases are backed by foreign governments.
Risk Management
The SEC explains that although the effectiveness of any given cybersecurity program is fact-specific, it highlights a key element of effective programs: the incorporation of a governance and risk management program that includes, among other things:
- a risk assessment to identify, analyze and prioritize cybersecurity risks to the organization;
- written cybersecurity policies and procedures to address those risks; and
- the effective implementation and enforcement of those policies and procedures.
In the area of data loss prevention, for example, the SEC recommends that firms establish a vulnerability management program that includes routine scans of software code, web applications, servers and databases, workstations, and endpoints both within the organization and applicable third-party providers.
The report also advises firms to keep an eye on user access and develop procedures that:
- monitor for failed login attempts and account lockouts;
- ensure proper handling of customer requests for user name/password changes, as well as procedures for authenticating unusual customer requests;
- consistently review for system hardware and software changes to identify when a change is made; and
- ensure that any changes are approved, properly implemented and that any anomalies are investigated.
“Data systems are critical to the functioning of our markets and cybersecurity and resiliency are at the core of OCIE’s inspection efforts,” SEC Chairman Jay Clayton said in a statement. “I commend OCIE for compiling and sharing these observations with the industry and the public and encourage market participants to incorporate this information into their cybersecurity assessments.”
Both the OCIE and FINRA recently released their respective exam priorities for 2020 and cybersecurity and other information security risks across the examination programs were top priorities.
