The Securities and Exchange Commission recently published a set of observations designed to assist financial market participants. While not legally binding, the observations are guideposts for investment companies, securities issuers, and others. They outline steps to improve cyber preparedness and to protect against well-known and evolving cybersecurity threats faced by companies in the United States and worldwide.
The observations come from the SEC’s Office of Compliance Inspections and Examinations. The OCIE operates the SEC’s National Exam Program, which is a risk-based inspection program intended to protect investors and ensure market integrity. OCIE collects and analyzes information on various measures that have been taken by market participants. Information gathered includes information about governance and risk management, access rights, and data loss prevention. OCIE also looks at mobile security, incident response resiliency and vendor management. Finally, OCIE looks at training and awareness as well.
The recently-issued observations provide specific examples of policies and practices that U.S. market participants have undertaken to protect sensitive data. Effective cybersecurity programs, the SEC noted, include those that look comprehensively at their risks. They also implement vulnerability scanning and monitor network traffic and detect security threats. The SEC also found effective programs are ones that had mobile device management and risk-assessed incident response plans for data breaches. The OCIE did recognize, though, that there is no “one-size fits all” approach for cybersecurity.
Putting it Into Practice: These observations give companies ideas about steps the SEC expects they will have taken to evaluate current cyber-risk infrastructure and make potentially-needed upgrades. While aimed at the financial markets, these recommendations may be helpful benchmarks for others as well.