SEC Publishes Cybersecurity and Resiliency Observations | Practical Law

SEC Publishes Cybersecurity and Resiliency Observations | Practical Law

The SEC's Office of Compliance Inspections and Examinations (OCIE) published its observations on cybersecurity and resiliency practices.

SEC Publishes Cybersecurity and Resiliency Observations

Practical Law Legal Update w-023-8036 (Approx. 6 pages)

SEC Publishes Cybersecurity and Resiliency Observations

by Practical Law Corporate & Securities
Published on 29 Jan 2020USA (National/Federal)
The SEC's Office of Compliance Inspections and Examinations (OCIE) published its observations on cybersecurity and resiliency practices.
On January 27, 2020, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) announced that it had issued examination observations relating to cybersecurity and operational resiliency practices taken by market participants. OCIE makes such observations using a risk-based approach to conduct examinations of SEC-registered investment advisers, investment companies, broker-dealers, self-regulatory organizations, clearing agencies, transfer agents, and others to promote compliance, prevent fraud, and monitor risk.
OCIE's observations highlight specific examples of cybersecurity and operational resiliency practices and controls taken by market participants to curtail potential threats and respond to potential incidents, specifically in the areas of:
  • Governance and risk management.
  • Access rights and controls.
  • Data loss prevention.
  • Mobile security.
  • Incident response and resiliency.
  • Vendor management.
  • Training and awareness.

Governance and Risk Management

OCIE has observed that to have an effective cybersecurity and operational resiliency program, organizations should use the following risk management and governance measures:
  • Devoting appropriate board and senior leadership engagement and attention to the strategy and oversight of the organization's cybersecurity and resiliency programs.
  • Developing and conducting a risk assessment process to identify, manage, and mitigate cyber risks relevant to the organization's business.
  • Adopting and implementing comprehensive policies and procedures addressing the risks.
  • Establishing comprehensive testing and monitoring of cybersecurity policies and procedures on a regular and frequent basis to validate their continued effectiveness.
  • Updating cybersecurity policies and procedures to address any weaknesses in response to testing and monitoring.
  • Establishing internal and external communication policies and procedures to provide information expeditiously.

Access Rights and Controls

OCIE has observed strategies related to access rights and controls at organizations that perform the following:
  • Developing a clear understanding of user access needs to systems and data based on the user's authorizations and/or job responsibilities.
  • Managing user access through systems and procedures that:
    • limit access as appropriate (including during onboarding, transfers, and terminations);
    • implement separation of duties for user access approvals;
    • re-certify users' access rights on a periodic basis (paying closer attention to accounts with elevated privileges and access);
    • require use of strong and periodically changed passwords;
    • use multi-factor authentication (using an application or key fob to generate an additional verification code); and
    • revoke system access immediately for individuals no longer employed by the organization (including former contractors).
  • Monitoring user access and developing procedures that:
    • monitor for failed login attempts and account lockouts;
    • ensure proper handling of customers' requests for username and password changes as (including unusual requests);
    • consistently review for and identify system hardware and software changes; and
    • ensure that any system hardware or software changes are approved, properly implemented, and that any anomalies are investigated.

Data Loss Prevention

OCIE has observed the following data loss prevention measures used by organizations:
  • Establishing a vulnerability management program that routinely scans software code, web applications, servers and databases, workstations, and endpoints.
  • Implementing an enterprise data loss prevention solution capable of controlling, monitoring, and inspecting all incoming and outgoing network traffic to prevent unauthorized or harmful traffic (including firewalls, intrusion detection systems, email security, web proxy systems with content filtering, and blocking access to personal email and/or social media sites).
  • Implementing capabilities that can detect threats on endpoints, use signature and behavioral-based capabilities, and identify incoming fraudulent communications to prevent unauthorized software or malware from running.
  • Establishing policies and procedures to capture and retain system logs from systems and applications for aggregation and analysis, and enabling optional security features for software that provides automated actions (macros and scripts).
  • Establishing a patch management program covering all software and hardware (including anti-virus and anti-malware installation).
  • Maintaining an inventory of hardware and software assets and identifying critical assets and information (location and how to protect them).
  • Using tools and processes to secure data and systems, including:
    • encrypting data "in motion" internally and externally;
    • encrypting data "at rest" on all systems (laptops, desktops, mobile phones, etc.); and
    • implementing network segmentation and access control lists (limit data availability to only authorized systems and networks).
  • Creating an insider threat program to monitor and identify suspicious behaviors (increase cybersecurity program testing, create rules to block transmission of sensitive data, track corrective actions in response to testing, and other significant events).
  • Securing legacy systems and equipment by verifying that the decommissioning and disposal of hardware and software does not create system vulnerabilities by:
    • removing sensitive information from such systems and equipment and promptly disposing of them; and
    • reassessing vulnerability and risk assessments as legacy systems are replaced with more modern systems and equipment.

Mobile Security

OCIE has observed the following mobile security measures at organizations using mobile applications:
  • Establishing policies and procedures for the use of mobile devices.
  • Using a mobile device management application or similar technology for an organization's business (email, calendar, data storage, etc.) and ensuring the application works with all mobile phone/device operating systems.
  • Requiring the use of MFA for all internal and external users, preventing the saving of information on personally owned devices, and ensuring the ability to remotely clear data and contend from a device that belongs to a former employee or from a lost device.
  • Training employees on mobile device policies and effective practices to protect mobile devices.

Incident Response and Resiliency

OCIE has observed that many organizations with incident response systems include:
  • Developing a risk-assessed incident response plan for various scenarios and establishing procedures that include:
    • timely notification and response if an event occurs;
    • a process to escalate incidents to appropriate levels of management; and
    • communication with key stakeholders.
  • Determining and complying with applicable federal and state reporting requirements for cyber incidents or events (knowing who to contact in response to certain cyber incidents: authorities, regulators, customers, etc.).
  • Designating employees with specific roles and responsibilities in the event of a cyber incident.
  • Testing and assessing the incident response plan and potential recovery times.
OCIE has observed the following strategies to address resiliency:
  • Identifying and maintaining an inventory of core business operations and services to prioritize (understanding the impact a system or process failure will have on the business services).
  • Developing a strategy for operational resiliency with defined risk tolerances tailored to the organization by:
    • determining which systems and processes are capable of being substituted during disruption so that business services can continue to be delivered;
    • ensuring geographic separation of back-up data; and
    • understanding the effects of business disruptions on stakeholders and other organizations.
  • Considering additional safeguards such as:
    • maintaining back-up data in a different network and offline; and
    • evaluating whether cybersecurity insurance is appropriate for the organization's business.

Vendor Management

OCIE has observed the following practices in the area of vendor management by organizations:
  • Establishing a vendor management program to ensure vendors meet cybersecurity requirements and implement appropriate safeguards.
  • Establishing procedures for terminating or replacing vendors (including cloud-based service providers).
  • Understanding all contract terms to ensure that all parties have the same understanding of how cyber risk and security is addressed (including risks related to vendor outsourcing).
  • Monitoring the vendor relationship to ensure continued compliance with the organization's cybersecurity requirements.

Training and Awareness

OCIE has observed the following practices used by organizations in the area of cybersecurity training and awareness:
  • Training staff to implement the organization's cybersecurity policies and procedures to create workforce readiness and operational resiliency.
  • Providing specific cybersecurity and resiliency training (phishing exercises, breach indicators, etc.).
  • Monitoring to ensure employees attend training and assessing the effectiveness of training (updating the program if necessary).
For more information related to monitoring and preparing for cybersecurity risks, see Article, Board Oversight of Cybersecurity Risks (2018) and Legal Update, OCIE Issues Cybersecurity Risk Alert.