Feb 62020

SEC Publishes Cybersecurity and Resiliency Observations Report

Colleen Theresa Brown, W. Hardy Callcott and Michaelene E. Hanley
, , ,

The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) released a report on Cybersecurity and Resiliency Observations based on practices seen in prior exams.  OCIE published the overview of practices to help market participants when considering “how to enhance cybersecurity preparedness and operational resiliency,” while acknowledging that there is not a “one-size fits all” approach.  The report links cybersecurity to resiliency and business continuity planning, explicitly merging two concepts on which the OCIE has previously focused into a single topic.

The summary of examination observations covers practices and strategies in governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness.  The OCIE report notes that effective programs rely on thorough re-occurring risk assessments, including of vendor relationships; written policies and procedures to address those risks; and effective implementation, training, testing, and enforcement within the organization.

In the report, OCIE emphasized the importance of several core components of effective cybersecurity and resiliency programs, including senior engagement; cyber-threat sharing; effective implementation and training; and wide-ranging data loss prevention efforts. During exams, OCIE found that meaningful senior level engagement set the tone for an organization’s cybersecurity program and correlated with the effectiveness of a program. Incident response preparedness, including business continuity and resilience, is unsurprisingly another large component of an effective program in OCIE’s view. But the OCIE report highlights the importance of cyber-threat intelligence sharing and working with regulators and law enforcement, which organizations may be hesitant to do because of fears of regulatory repercussions.  The OCIE report also emphasized the testing and re-evaluation of incident response plans using a variety of methods, such as table top cybersecurity exercises to simultaneously assist in training the organization.

The report underscores the expectation that a market participant re-evaluate and update practices throughout the organization to reflect new threats and take into account prior incidents or difficulties the organization has faced. Using the right technical tools and processes to secure data and prevent its misuse are key as well.  The OCIE report’s use of the term data loss prevention to refer to a broad range of practices—from patch management and hardware inventories to insider threat monitoring—indicates that OCIE expects organizations to take steps beyond installing data loss prevention software and that organizations should address the many ways data can be lost or misused.  The OCIE report also emphasized the importance of training to help ensure robust policies and practices are understood and appropriately implemented.

Organizations can use the report to review their own practices, policies, and based on the organizations’ risks, implement the appropriate procedures to better secure the organization.  These observations outline practices that OCIE “believes . . . will make your organization more secure” and that it may expect to see during examinations.  In the corresponding press release, SEC Chairman Jay Clayton “encourage[d] market participants to incorporate this information into their cybersecurity assessments.”

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

W. Hardy Callcott

San Francisco

wcallcott@sidley.com

Michaelene E. Hanley

mhanley@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.

FINRA Issues 2023 Report on Its Examination and Risk Monitoring Program

On January 10, 2023, the Financial Industry Regulatory Authority (FINRA) published its 2023 Report on its Examination and Risk Monitoring Program (the Report).1 The 75-page Report includes four new topic areas for 2023: (1) manipulative trading, (2) fixed income — fair pricing, (3) fractional shares — reporting and order handling, and (4) Regulation SHO.