Now in the sixth year of its cybersecurity initiative, the OCIE compiled observations from thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants to identify common approaches businesses have taken to bolster their cybersecurity and resilience practices within seven distinct areas:
- Governance and Risk Management – programs for ensuring senior leader engagement so that cybersecurity risks are properly evaluated and communicated, and policies and procedures are effectively implemented and enforced;
- Access Rights and Controls – strategies to better understand and document where important data is located throughout the business and to create controls that limit access of sensitive networks and data to authorized users only;
- Data Loss Prevention – tools and processes to ensure that sensitive data is not lost, misused, or accessed by unauthorized users;
- Mobile Security – mobile device and application security measures to address their unique vulnerabilities;
- Incident Response and Resiliency – common elements included in incident response plans and strategies to ensure business resiliency following an incident;
- Vendor Management – policies and procedures for selecting vendors, monitoring and overseeing vendor activities, and measuring associated risks in employing and allowing network or data access to vendors; and
- Training and Awareness – practices used to provide employees with information concerning cyber risks and responsibilities and heighten awareness of cyber threats.
Although these observations are not instructions on how best to implement these strategies or programs, they address the key areas that OCIE believes businesses should focus on to strengthen their cyber defenses. If a business realizes it has not implemented one of these strategies, OCIE suggests a business should examine whether implementing that strategy would be feasible and would help improve its cybersecurity and resilience practices.
The Examination Observations highlights the SEC’s growing interest in cybersecurity among its regulated entities and follows the SEC’s decision in December to permit the National Securities Clearing Corporation to enact a cybersecurity requirement of its own for its 3,000 members. Although the OCIE observations are most directly applicable to SEC-regulated entities, other businesses may find the observations a useful guide to assessing the strength of their cybersecurity practices.
Authored by Peter Marta and Jasmeet Ahuja
Jake Nevola, a Law Clerk in our New York office, contributed to this entry.