What You Need to Know from OCIE’s 2020 Cybersecurity Observations

What You Need to Know from OCIE’s 2020 Cybersecurity Observations

Share on facebook
Share on twitter
Share on linkedin
Share on email
Share on print

On January 27, 2020, the Securities and Exchange Commission’s (SEC) Office of Inspections and Examination (OCIE) released its Cybersecurity and Resiliency Observations for 2020 (the Release). The observations are designed to assist market participants in managing and combatting cybersecurity risk and the maintenance and enhancement of operational resiliency.

  • Governance and Risk Management: As with the exam program generally, OCIE looks for a “tone at the top” when it comes to executing a firm’s compliance program. In particular, senior leaders should clearly communicate the organization’s commitment to a tailored policies and procedures, a robust assessment of the firm’s cybersecurity risks, and continual monitoring of the program so that it quickly adapts to changes in risk.
  • Access Rights and Controls: From the beginning of its cybersecurity sweeps, OCIE has focused on access restrictions (i.e., limiting certain data to authorized users and better protecting against the improper use of client information). The Release emphasized that firms should be intentional when organizing and chronicling system data so that the system has fewer vulnerabilities. OCIE noted that effective programs include procedures to: manage user access through systems and procedures, enable multi-factor authentication and address access rights of individuals who leave the firm.
  • Data Loss Prevention: Procedures should be sufficient to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. Firms that effectively prevented data loss routinely scanned for vulnerabilities in their software, hardware and web-based applications, including those of their third-party providers. These organizations also employed perimeter security measures capable of inspecting and preventing harmful traffic and detecting threats on system end points. Finally, firms should inventory their hardware and software assets, routinely patch and update software and oversee the proper disposal of legacy systems and equipment.
  • Mobile Security: Mobile devices and applications present unique vulnerabilities due to because they are in transit. OCIE observed that firms can install applications on these devices that will automate the routine monitoring of email communication, calendars, data storage and other activities. A key component in implementing effective security protocols includes training employees on prudent usage of mobile devices.
  • Incident Response and Resiliency: Firms should develop an incident response plan that enables swift detection and handling of a wide range of cyber threats. Once an incident occurs, the plan should outline the steps for a quick recovery so that the firm can continue safely serving its clients. OCIE highlighted the fact that other state and federal laws may apply to cybersecurity incidents. Accordingly, firms should consider the circumstances in which an incident warrants contacting employees, clients and/or third parties, such as criminal authorities and regulators.
  • Vendor Management: Third-party vendors may pose risks with respect to client data. OCIE noted that effective vendor management includes implementing initial screenings and safeguards, establishing vendor termination procedures, understanding and avoiding the risk posed by a vendor’s contract terms, and continuous monitoring of all third-party vendors.
  • Training and Awareness: Further to a “tone at the top,” firms should to embed cybersecurity as a cultural norm that guides firm behavior. In addition, regular, formal training informs employees about the risks and responsibilities associated with cyber threats. OCIE observed that effective training programs include the use of examples and exercises that mimic the threats that the firm needs to prevent.

It is important to remember that these are general observations for the SEC as an agency. As you review the observations, compare them to your firm’s own policies and procedures and consider whether you may need to reassess certain policies and procedures moving forward. As always, the Greyline team is happy to assist you with these inquiries.

Please find the full Cybersecurity and Resiliency Observations here.


Related Posts
Greyline is pleased to announce that we have made the short list for the 2021 HFM U.S. Service Awards in the Best Advisory Firm and Best Technology Firm – Newcomer categories. The award winners will be announced on September 22.