SEC Publishes Cybersecurity and Resiliency Observations Report

The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) released a report on Cybersecurity and Resiliency Observations based on practices seen in prior exams.  OCIE published the overview of practices to help market participants when considering “how to enhance cybersecurity preparedness and operational resiliency,” while acknowledging that there is not a “one-size fits all” approach.  The report links cybersecurity to resiliency and business continuity planning, explicitly merging two concepts on which the OCIE has previously focused into a single topic.

The summary of examination observations covers practices and strategies in governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness.  The OCIE report notes that effective programs rely on thorough re-occurring risk assessments, including of vendor relationships; written policies and procedures to address those risks; and effective implementation, training, testing, and enforcement within the organization.

In the report, OCIE emphasized the importance of several core components of effective cybersecurity and resiliency programs, including senior engagement; cyber-threat sharing; effective implementation and training; and wide-ranging data loss prevention efforts. During exams, OCIE found that meaningful senior level engagement set the tone for an organization’s cybersecurity program and correlated with the effectiveness of a program. Incident response preparedness, including business continuity and resilience, is unsurprisingly another large component of an effective program in OCIE’s view. But the OCIE report highlights the importance of cyber-threat intelligence sharing and working with regulators and law enforcement, which organizations may be hesitant to do because of fears of regulatory repercussions.  The OCIE report also emphasized the testing and re-evaluation of incident response plans using a variety of methods, such as table top cybersecurity exercises to simultaneously assist in training the organization.

The report underscores the expectation that a market participant re-evaluate and update practices throughout the organization to reflect new threats and take into account prior incidents or difficulties the organization has faced. Using the right technical tools and processes to secure data and prevent its misuse are key as well.  The OCIE report’s use of the term data loss prevention to refer to a broad range of practices—from patch management and hardware inventories to insider threat monitoring—indicates that OCIE expects organizations to take steps beyond installing data loss prevention software and that organizations should address the many ways data can be lost or misused.  The OCIE report also emphasized the importance of training to help ensure robust policies and practices are understood and appropriately implemented.

Organizations can use the report to review their own practices, policies, and based on the organizations’ risks, implement the appropriate procedures to better secure the organization.  These observations outline practices that OCIE “believes . . . will make your organization more secure” and that it may expect to see during examinations.  In the corresponding press release, SEC Chairman Jay Clayton “encourage[d] market participants to incorporate this information into their cybersecurity assessments.”