OCIE Observations on Cybersecurity. Operational Best Practices

David Y. Dickstein

Email

212-940-8506

Bio and Articles

Elise W. Michael

Email

212-940-6610

Bio and Articles

Find Your Next Job !

Commercial Real Estate Transactional Attorney / Real Estate Lawyer
On Balance Search Consultants

Trusts & Estates Attorney / Estate Planning Lawyer
On Balance Search Consultants

Litigation Legal Support Specialist
Greenberg Traurig, LLP

Legal Support Specialist
Greenberg Traurig, LLP

Chief Operating Officer / Business Manager
On Balance Search Consultants

Trusts & Estates Partner / Senior Attorney
On Balance Search Consultants

Litigation Paralegal
Greenberg Traurig, LLP

Explore More Job Openings

OCIE Provides Observations on Cybersecurity and Operational Resiliency Best Practices

by: David Y. Dickstein, Elise W. Michael of Katten - Corporate and Financial Weekly Digest

Friday, January 31, 2020

Print Mail Download info_icon_img

/>i

On January 27, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission issued a statement summarizing its observations of cybersecurity and operational resiliency practices of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants (the Observations). In its introduction to the Observations, the OCIE staff notes that cybersecurity is a key priority for OCIE. Therefore, although the OCIE staff acknowledges that there is not a “one-size fits all” approach to addressing cybersecurity, it recommends that SEC registrants assess their cybersecurity practices in light of the Observations.

The recommendations of the Observations include the following:

Governance and Risk Management. OCIE observed that the key elements of effective governance and risk management programs include: 1) senior level engagement in setting the strategy and overseeing the cybersecurity and resiliency program; 2) developing and conducting risk assessments to identify and mitigate risks; 3) adopting and implementing comprehensive policies and procedures addressing cybersecurity; 4) establishing comprehensive testing and monitoring of cybersecurity policies and procedures; 5) responding promptly to testing and monitoring results; and 6) establishing internal and external communication policies and procedures to provide timely information to the appropriate parties.
Access Rights and Controls. OCIE observed that strategies for determining appropriate users for firm systems include: 1) understanding access needs; 2) managing and restricting users as appropriate; and 3) preventing, monitoring and investigating unauthorized access.
Data Loss Prevention. OCIE observed the use of the following data loss prevention measures: 1) establishing a vulnerability management program; 2) establishing perimeter security and monitoring network traffic; 3) implementing systems that provide detective security; 4) establishing a patch management program; 5) inventorying hardware and software; 6) securing data through encryption software and network segmentation; 7) creating an insider threat program to identify suspicious behaviors; and 8) decommissioning and disposing hardware and software in a manner that does not create vulnerabilities.
Mobile Security. OCIE observed that vulnerabilities related to the use of mobile devices and mobile applications may be mitigated by: 1) establishing policies and procedures for the use of mobile devices; 2) using a mobile device management application to manage a firm’s mobile device applications; 3) implementing security measures, which may include preventing printing, copying or saving information to personally owned devices and remotely clearing data and content from devices; and 4) training employees on policies and practices to protect mobile devices.
Incident Response and Resiliency. OCIE observed that incident response plans tend to include the following: 1) developing a risk-assessed incident response plan for various scenarios and maintaining procedures on appropriate notification, escalation and communication of cybersecurity incidents; 2) addressing how to meet applicable reporting requirements; 3) assigning staff to execute specific areas of the plan; and 4) testing the plan and recovery times. In addition, OCIE observed that addressing resiliency includes: 1) identifying and prioritizing core business services; 2) determining which systems can be substituted during disruption; 3) implementing geographic separation of back-up data; 4) considering the effects of business disruptions; and 5) potentially purchasing cybersecurity insurance.
Vendor Management. OCIE observed that proper vendor management includes: 1) conducting due diligence of vendors; 2) understanding vendor relationships and contract terms, along with the risks related to vendor outsourcing; and 3) monitoring vendor relationships to ensure that the vendor continues to meet security requirements and to be aware of changes to the vendor’s services or personnel.
Training and Awareness. OCIE observed that sound training practices include: 1) training staff to implement the firm’s policies and procedures and building a culture of cybersecurity readiness and operational resiliency; 2) providing cybersecurity examples and exercises, including phishing exercises and training on how to identify and respond to breaches and suspicious client behavior; and 3) monitoring training attendance and continuously updating trainings based on cyber-threat intelligence.

The Observations further encourage SEC registrants to: 1) monitor the SEC’s Cybersecurity Spotlight page; 2) sign up for alerts from the Cyber Infrastructure Security Agency; 3) participate in information-sharing groups such as the Financial Services Information Sharing and Analysis Center; and 4) consult the National Institute of Standards and Technology Cybersecurity Framework.

The Observations are available here.