On January 28, 2020, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) released a detailed set of observations culled from thousands of examinations of registered investment advisers, broker-dealers, clearing agencies, national exchanges, and other SEC registrants (“Observations”). These Observations represent the most detailed compilation of strategies and tools that OCIE has observed to promote effective cybersecurity programs. The Observations are the third set of observations released by OCIE since 2015, in addition to its multiple and more targeted risk alerts. Since approximately two-thirds of OCIE examinations conducted in fiscal year 2019 resulted in deficiency letters and OCIE will continue to prioritize cybersecurity throughout 2020, the Observations are a useful guide to assess a registrant’s cybersecurity and resiliency preparedness against a subset of financial industry participants and through a regulator’s lens.
The Observations cover the following key topics:
- Governance and risk management. OCIE recognizes the importance of executive and Board-level engagement for cybersecurity and resiliency strategy as well as oversight. The Observations highlight the need to consider (and presumably document) specific factors when defining risk assessment methodology, including consideration of the entity’s business model and the identification and prioritization of vulnerabilities. Additional risk management strategies include regular and frequent testing and monitoring, as informed by cyber threat intelligence. In addition to attention to written policies and procedures—including those governing internal and external communications—the Observations specifically note continuous evaluation and adaptation to changes as a risk management and governance measure.
- Access controls. In addition to the principle of least privileged access and specific monitoring procedures designed to detect anomalies and handle change management, the Observations note additional effective approaches, including separation of duties for access approvals, multi-factor authentication (“MFA”), strong and periodically changed passwords, periodic access re-certification, and immediate de-certification upon certain triggering events (e.g., separation from the firm).
- Data loss prevention. The Observations devote considerable attention to various tools and processes designed to safeguard data, including vulnerability scanning, perimeter security, detective security (including log aggregation and analysis), patch management, inventory management, encryption and network segmentation, insider threat monitoring, and secure disposal (including legacy systems and equipment).
- Mobile security. In addition to policies and procedures and associated user training regarding the use of mobile devices and applications, the Observations note the effective use of mobile device management (“MDM”) technology, as well as “requiring the use of MFA for all internal and external users” as one of several key security measures to manage risks associated with mobile device and application use.
- Incident response and resiliency. The Observations discuss the importance of factoring business continuity and resiliency into incident response plans, as well as the development, testing, and periodic assessment of incident response plans. Effective incident response plans tend to include risk-assessed responses for different specific scenarios as informed by cyber threat intelligence and company-specific risks (e.g., DDoS, ransomware, key employee succession, malicious disinformation). Registrants also should consider contacting law enforcement and regulators to share information, making individual notifications, and include these decision points in their incident response plans. The Observations flag the importance of designating employees with specific roles and responsibilities in the event of a cybersecurity event and that such individuals have the cybersecurity and recovery expertise to handle their responsibilities. Finally, the Observations outline three strategies to address resiliency: inventory of core business operations and systems; risk assessment and prioritization of operations; and backups and other safeguards.
- Vendor management. Effective vendor management includes policies and procedures that address: due diligence during vendor selection (including a thorough understanding of the agreement’s terms and risks); monitoring and oversight of vendor relationships; ensuring vendor relationships are considered in the risk assessment process; and assessing how vendors protect client information. The Observations also note that effective strategies can include the formal review of contractual terms and the use of security questionnaires, independent audits, and/or reviews based on benchmarking standards to ensure vendors are meeting expectations. In addition to vendor assessment, monitoring, and testing, the Observations highlight procedures to govern the termination or replacement of vendors, and specifically single out cloud-based service providers in this context.
- Training and awareness. The Observations treat training and awareness as an enterprise-wide, key component to cybersecurity preparedness. Training strategies should cover the personnel responsible for implementing cybersecurity policies and procedures as well as users so that the firm is able to “build a culture of cybersecurity readiness and operational resiliency.” In addition to preventative and specific training (e.g., anti-phishing), firms should continually update training modules based on cyber threat intelligence, monitor employee attendance, and assess the effectiveness of such training.
- Threat intelligence. In addition to highlighting the opportunity to share indicators of compromise (“IOCs”) from cybersecurity events with regulators in the context of incident response, the Observations also note additional resources related to cyber threat intelligence and information sharing, including receiving alerts from the DHS Cybersecurity Infrastructure Agency (“CISA”), becoming a member of the Financial Services Information Sharing and Analysis Center (“FS-ISAC”), and monitoring the SEC Cybersecurity Spotlight page for updates.