The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) staff has compiled observations from its thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchange, and other SEC registrants and shared some best practices for safeguards against cybersecurity threats.
The observations are intended to help organizations review their practices, policies, and procedures to assess their preparedness for cybersecurity threats and strengthen their operational resiliency.
View the examination observations.
Governance and Risk Management
A critical component of any effective cybersecurity program is the commitment and inclusion of senior leadership in its strategy, assessment, and oversight. The cybersecurity program should involve a combination of the organization’s senior leaders, information technology professionals (“IT), and the compliance department.
Successful firms have leadership who prioritize cyber risk assessments, document policies and procedures, provide oversight in the implementation of the cybersecurity and resiliency policies, and continuously test, monitor, and update the policies.
Access Rights and Controls
Successful cyber security programs have a clear understanding of access rights and limit employee and vendor access to sensitive systems and data to those individuals or service providers whose job descriptions require such access.
Management of access rights and controls includes systems and procedures that control onboarding, transfers, and terminations of employees and vendors. On a periodic basis, IT should require reviews and re-certification of access rights as well as password changes, multi-factor authentication, and verification codes, when appropriate.
An effective system also monitors failed login attempts, password change requests, and unusual requests, and ensures that changes to access rights receive appropriate approvals from designated managers and any anomalies detected are investigated.
Data Loss Prevention
Robust data loss and prevention programs include the following:
- Routine scans of both internal and third-party vendors’ software and hardware to identify vulnerabilities
- Perimeter security capabilities include firewalls, intrusion detection systems, and content filtering that inspects for and prevents potential unauthorized traffic
- Threat detection identifying incoming fraudulent communications
- A patch management program that covers software and hardware and includes anti-virus and malware
- An accurate inventory of all software and hardware
- Encryption of data and access controls
- Programs to identify suspicious behavior
- Rules that block transmission of sensitive data from leaving the organization
- Procedures to remove sensitive data from software and hardware as they are no longer needed.
- Processes to reassess vulnerabilities as new systems are implemented
Mobile Security
Policies and procedures involving firm mobile devices should include the use of a device management application and plans for security measures to prevent printing, copying, pasting, or saving information to personally owned devices. They should also include the ability to remotely clear data from a device that is lost or is in the possession of a former employee.
Incident Response and Resiliency
One of the more crucial and often overlooked components of a cybersecurity program is the incident response and resiliency plan (“IRP”). Key components of an IRP should include timely notifications to appropriate authorities and regulators, procedures that assign roles and responsibilities to appropriately escalate potential compromises, and plans to communicate incidents with key stakeholders. Resiliency planning requires identifying and prioritizing core business services and developing strategies to substitute systems and processes to deliver those services in the event of an incident. Storing backup data in a different geographic location is an effective practice. Regular testing of the IRP will also help ensure your firm is prepared for a cyber event without severe disruption to your operations.
Vendor Management
It is critical for firms to develop an effective vendor management program, which should include thorough due diligence procedures. Questions in the initial vetting process and in independent audits should include detailed questions based on industry information, and security standards, and should establish that the vendor meets all security requirements and protections.
Training and Awareness
An effective training and awareness program will ensure that all firm employees are aware of and equipped to identify and respond appropriately to cyber threats. Making the policies and procedures available to all employees and providing specific training on resiliency, phishing emails, breach indicators, and suspicious behavior will help ensure your team is prepared to identify and respond to threats.
Core Compliance and Legal Services, Inc. can help you strengthen your cybersecurity practices by drafting policies and procedures, recommending IT specialists, providing risk assessment and incident responses, and training your employees. Contact our team of experts today.