Would Your Cybersecurity Practices Pass an SEC Exam?

Are your cybersecurity practices up to snuff? The SEC has made cybersecurity one of its top examination priorities…

The Securities and Exchange Commission (SEC) has made cybersecurity one of its top examination priorities for securities and financial organizations and participants.  The SEC’s Office of Compliance Inspections and Examinations’ (OCIE) cybersecurity initiative was designed to assess a company’s cybersecurity preparedness in the wake of an uptick in cyber attacks.  In a recent report, OCIE outlined several cybersecurity and operational resiliency practices that firms have adopted to safeguard against cyber threats. While the SEC does not necessarily describe them as “best” practices, the approaches can be useful in evaluating how your own firm’s cyber practices stack up.

SEC Focus on Cybersecurity

The SEC has increased its focus on cybersecurity issues in recent years:

1. The SEC’s Division of Enforcement established the Cyber Unit in September 2017 which focuses on violations involving digital assets, initial coin offerings and cryptocurrencies; cybersecurity controls at regulated entities; issuer disclosures of cybersecurity incidents and risks; trading on the basis of hacked nonpublic information; and cyber-related manipulations, such as brokerage account takeovers and market manipulations using electronic and social media platforms
2. The SEC has also included cybersecurity as a key element in its corporate examination program over the past eight years.
3. OCIE has published eight risk alerts related to cybersecurity.
4. Finally, the SEC assumed legal authority to bring cyber-related enforcement actions against “bad actors” in order to protect investors and deter future wrongdoing.

To aid in compliance, the SEC recently issued examination observations related to cybersecurity and operational resiliency practices, which are based on thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants.  According to OCIE, these observations will afford organizations the opportunity to reflect on their own cybersecurity practices. “Recognizing that there is no such thing as a ‘one-size fits all’ approach and that all of these practices may not be appropriate for all organizations, we are providing these observations to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency,” the SEC stated.

SEC’s Observations on Cybersecurity Practices

The SEC’s observations are focused in seven key areas: governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. Below are several key takeaways:

(1) Governance and risk management: The SEC highlights the importance of establishing effective cybersecurity programs as part of corporate governance and risk management measures.  These programs generally include, among other things: (i) a risk assessment to identify, analyze, and prioritize cybersecurity risks to the organization; (ii) written cybersecurity policies and procedures to address risks; and (iii) the implementation and enforcement of those policies and procedures.

(2) Access Rights and Controls: The SEC explains that access controls generally include: (i) understanding the location of data, including client information, throughout an organization; (ii) restricting access to systems and data to authorized users; and (iii) establishing appropriate controls to prevent and monitor for unauthorized access. It specifically highlights the importance of limiting access to sensitive systems and data based upon the user’s needs to perform legitimate and authorized activities, requiring periodic account reviews, and revoking system access immediately for individuals no longer employed by the organization.

(3) Data Loss Prevention: Possessing the proper tools and processes to ensure that sensitive data, including client information, is not lost, misused, or accessed by unauthorized users is the premier consideration. Examples of effective practices include:

• Establishing a patch management program covering all software (i.e., in-house developed, custom off-the-shelf, and other third party software) and hardware, including anti-virus and anti-malware installation;
• Establishing a vulnerability management program that includes routine scans of software code, web applications, servers and databases, workstations, and endpoints both within the organization and applicable third party providers; and
• Implementing capabilities that are able to control, monitor, and inspect all incoming and outgoing network traffic to prevent unauthorized or harmful traffic.

(4) Mobile Security: Companies should not only establish policies and procedures for the use of mobile devices, but also train employees regarding the importance of abiding by the established policies and procedures. To effectively manage the use of mobile devices, the SEC notes that many firms require the use of a mobile device management (MDM) application or similar technology. Companies also take affirmative steps to prevent printing, copying, pasting, or saving information to personally owned computers, smartphones or tablets and ensure the ability to remotely clear data and content from a device that belongs to a former employee or from a lost device.

(5) Incident Response and Resiliency: An important component of an incident response plan includes business continuity and resiliency.  Strategies underscored by the SEC include identifying and prioritizing core business services and developing a strategy for operational resiliency with defined risk tolerances tailored to the organization.

Organizations with effective incident response plans tend to include the following elements:

• Developing a plan;
• Determining and complying with applicable federal and state reporting requirements for cyber incidents or events;
• Designating employees with specific roles and responsibilities in the event of a cyber incident; and
• Testing the plan.

(6) Vendor Management: The Vendor management practices should generally include policies and procedures related to: (i) conducting due diligence for vendor selection; (ii) monitoring and overseeing vendors, and contract terms; (iii) assessing how vendor relationships are considered as part of the organization’s ongoing risk assessment process, as well as how the organization determines the appropriate level of due diligence to conduct on a vendor; and (iv) assessing how vendors protect any accessible client information.

(7) Training and Awareness: Organizations are encouraged to provide employees with training programs that illustrate the nature of cyber risks and responsibilities and heightens awareness of cyber threats. Training staff on your organization’s cybersecurity policies and procedures, it is helpful to include examples and exercises which will help employees identify phishing emails. A continuous re-evaluation and update to your firm’s training programs based on cyber-threat intelligence is pertinent.

Key Takeaway

While smaller organizations may not have the resources to implement all of the practices highlighted above, the SEC’s observations are very useful, particularly for registered broker-dealers and investment advisers that want to evaluate their cybersecurity practices, policies, and procedures before examiners come knocking.

If you have questions, please contact us

If you have any questions or if you would like to discuss the matter further, please contact me, Maryam Meseha, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.