New OCIE Report Offers Best Practices for Firms to Enhance Cyber Preparedness and Resiliency
A few weeks ago, Bates reviewed the SEC Office of Compliance Inspections and Examinations ("OCIE") recently issued 2020 examinations priorities. That report reminded registered entities to address potential vulnerabilities in compliance programs and practices in order to minimize retail investor and market risks. On the heels of that report, OCIE has issued a new report on “Cybersecurity and Resiliency Observations” to reemphasize that cybersecurity is a top examination priority and that registered entities should be assessing their practices and procedures to ensure adequate compliance. Bates Research takes a closer look at what OCIE wants you to know.
Increasing Threats, Serious Consequences
The OCIE issued its new cybersecurity observations report based on concerns about (i) increasingly aggressive and sophisticated “cyber threat actors,” (ii) increasing firm reliance on technology, and (iii) the rising potential for negative consequences to investors, market participants and the financial markets. Based on 2019 examinations, the report offers best practices on a wide range of cybersecurity controls and operations.
Support from the Top: Governance and Risk Management
OCIE asserts that effective governance and risk management programs (i) demonstrate strong and engaged leadership, (ii) effectively assess and prioritize cybersecurity risk, (iii) have written policies and procedures to address that risk, and (iv) have practices that implement and enforce those policies.
Specifically, OCIE recognized programs that demonstrate appropriate board- and senior-level engagement, including those in which senior leaders demonstrate their commitment “to improving their organization’s cyber posture through working with others to understand, prioritize, communicate, and mitigate cybersecurity risks.”
OCIE highlighted risk assessment methodologies tailored to an organization’s business model and wants firms to consider a wide spectrum of vulnerabilities from “remote or traveling employees” to “geopolitical risks.” Firms should expect that the OCIE will examine for policies and procedures that (i) establish adequate testing and monitoring, informed by cyber threat intelligence; (ii) respond to such testing and monitoring with continuous updates and (iii) provide updated information to stakeholders and to regulators.
Access Rights and Controls
Firms should also expect that the OCIE will examine to ensure that a firm has appropriate controls in place to limit access to sensitive client information. This means an organization’s systems should demonstrate that managers (i) understand the location of client information, (ii) restrict access to that data only to authorized users; and (iii) take steps to prevent and monitor for unauthorized access.
OCIE said it observed firm strategies in which managers limited access during “onboarding, transfers, and terminations;” implemented “separation of duties for user access approvals” and created periodic recertification procedures, among others. Similarly, OCIE identified best practices for access monitoring, including procedures for logins, user name and password changes, hardware and software changes and for the investigation of system anomalies.
Data Loss Prevention
OCIE said that firms should ensure the protection of sensitive data from unauthorized users. OCIE highlighted “capabilities” used by firms to (i) scan for vulnerabilities in internal and external systems (including applicable third party providers,) (ii) “control, monitor, and inspect network traffic,” (iii) “detect threats on endpoints” (e.g. maintaining system logs and applications for aggregation and analysis), (iv) “patch” software and hardware from virus and malware threats, (v) maintain inventories of all hardware and software, (vi) secure data and systems through encryption and network segmentation, (vii) identify and block the transmission of suspicious behaviors and (viii) secure legacy systems and equipment.
OCIE highlighted firm strategies to secure mobile devices and mobile applications. These include establishing clear policies and procedures and requiring the use of mobile device management (MDM) technology applications for authorized users. OCIE also noted firm best practices that “prevent printing, copying, pasting, or saving information to personally owned computers, smartphones or tablets as well as sufficient employee training on mobile device policies.
Resiliency and Incident Response
OCIE expects firms to have incident response plans that include “timely detection and disclosure of material information” in the event of a cyber incident. Specifically, OCIE noted effective programs that incorporate: (i) scenario planning (e.g. denial of service or ransomware); (ii) systems for regulatory and suspicious activity reporting (SARs) and compliance; (iii) adequate notifications concerning data breaches to customers, clients and employees; (iv) staff preparedness plans and (v) incident response testing.
The OCIE also stated that resiliency plans should be based on assessed risks and business priorities, so the firm is in the best position to maintain its core business operations and systems in the event of an incident. This includes determining system and process substitutions during disruptions, maintaining back up data, and assessments of the “effects of business disruptions on both the institution’s stakeholders and other organizations.”
OCIE highlighted firm best practices for vendor management. These include, among others, required due diligence during vendor selection, ongoing relationship monitoring, assessments of vendor services within the firm’s ongoing risk processes, and vendor protection of client information.
OCIE expects that firm employees undergo training about cyber risks to help “build a culture of cybersecurity readiness and operational resiliency.” OCIE observed firms that have robust policies, procedures, training guides and training programs that incorporate specific examples of threats (e.g. phishing emails) to help employees prevent breaches, and to identify and respond to suspicious behavior. OCIE recognized firms that continuously evaluate and update their training programs based on cyber threat intelligence.
The new OCIE report emphasizes that cybersecurity remains a key SEC priority, particularly when it comes to customer data protection, disclosure and compliance (see previous Bates alert). Though OCIE offers these very specific observations on “cybersecurity preparedness and operational resiliency,” it says that there is no such thing as a “one-size-fits-all” cybersecurity program. However, in light of the fact that this very detailed template represents the second OCIE warning in a matter of weeks, it would be prudent for firms to review whether they are appropriately assessing, monitoring and managing their cybersecurity risk.
For additional information and assistance, please follow the links below to Bates Group's Practice Area pages:
Learn more about Bates Group’s Data Security