Due to an increase in cyber security-related threats, firms participating in securities markets should establish procedures to monitor, assess and manage their cyber security risk profiles, including operational resiliency. On January 27, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published examination observations related to cyber security preparedness and operational resiliency. The following practices were highlighted:
Governance and Risk Management
While the efficacy of any given cyber security program is fact-specific, the OCIE observed that effective programs incorporated risk assessment processes to identify, analyze and prioritize cyber security risks specific to the organization. To address those risks, firms implemented programs which included senior level involvement, written cyber security policies and procedures, testing and monitoring, ongoing evaluation of policies and processes and communication of such policies and processes.
Access Rights and Controls
To implement appropriate access rights and controls, the OCIE observed that firms developed policies and procedures to address user access to firm systems, managed user access and monitored user access to detect any unauthorized accessing of firm systems. To determine appropriate access for firm personnel and to deploy appropriate access controls, firms must understand the location of data throughout the organization (including client information), restrict access to systems and data to only authorized users and establish appropriate controls to prevent and monitor for unauthorized access.
Data Loss Prevention
The OCIE observed that firms typically deploy various tools and processes to prevent loss of sensitive data, including client information. These tools and processes include, vulnerability scanning, perimeter security, detective security, patch management, encryption and network segmentation, and insider threat monitoring.
Mobile devices and applications may create additional and unique vulnerabilities. To address these potential weaknesses, firms have established policies and procedures governing the use of mobile devices. Firms have also made efforts to utilize mobile device management applications, implement required security measures (e.g., multi-factor authentication, remote clearing of content/data from a device, etc.) and regularly train employees about mobile device policies and procedures.
Incident Response and Resiliency
The OCIE observed that effective incident response plans focus on the timely detection and appropriate disclosure of material information regarding incidents and assess the appropriateness of corrective actions taken in response to such incidents. Observed incident response plans generally included the following:
- A risk-assessed plan for various scenarios (e.g., denial of service attacks, malicious disinformation, ransomware, key employee succession, etc.);
- Procedures addressing timely notification and response if an event occurs;
- A process to escalate incidents to appropriate levels of management (including legal and compliance functions);
- Procedures for communication with key stakeholders (as necessary);
- Applicable reporting requirements (e.g., FBI, regulators, clients, etc.);
- Identifying designated employees to specific roles and responsibilities; and
- Procedures detailing plan testing and ongoing evaluation.
The OCIE also noted that business continuity and resiliency are important components of incident response plans. Firms engaging in effective resiliency measures implemented strategies to identify and prioritize core businesses, identify which systems and processes were capable of being substituted to avoid business service disruptions and maintained backup data in different networks and offline.
Effective vendor management practices and controls observed generally included establishing policies and procedures for conducting due diligence for vendor selection, as well as monitoring and overseeing vendors. The policies and procedures include, periodically reviewing contract terms, questionnaires (e.g., SOC 2 reports) and independent audits to ensure vendors meet security requirements and assessing vendor relationships as part of the organization’s ongoing risk assessment process (e.g., how the organization determines the appropriate level of due diligence to conduct on a vendor and assessing how vendors protect any accessible client information).
Training and Awareness
The OCIE noted that training and awareness are key components of cyber security programs. Training provides employees with information concerning cyber risks and responsibilities and heightens awareness of cyber threats. Trainings conducted focused on building a culture of cybersecurity readiness and operational resiliency, including exercises to detect suspicious activities (e.g., phishing exercises) and preventive measures (e.g., identifying and responding to indicators of breaches and obtaining customer confirmation if behavior appears suspicious).
For further information, you can find the entire report here.