In a new report, the SEC's Office of Compliance Inspections and Examinations ("OCIE") offered observations, based on thousands of examinations, "to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency."

The recommendations in the OCIE Cybersecurity and Resiliency Observations report include the following:

  • Governance and Risk Management. OCIE stated that while the effectiveness of any given cybersecurity program is "fact-specific," the most effective programs incorporate a governance and risk management program that generally includes (i) a risk assessment to identify, analyze and prioritize cybersecurity risks to the organization, (ii) written cybersecurity policies and procedures to address those risks, and (iii) the effective implementation and enforcement of those policies and procedures.
  • Access Rights and Controls. OCIE encouraged each firm to include in its access rights and controls (i) an explanation of the location of its data, (ii) restrictive measures to allow only authorized users to access systems and data, and (iii) established controls aimed at preventing and monitoring unauthorized access.
  • Data Loss Prevention. OCIE identified several data loss prevention measures used by organizations, such as (i) vulnerability scanning, (ii) perimeter security, (iii) detective security, (iv) patch management, (v) inventory hardware and software, (vi) encryption and network segmentation, (vii) insider threat monitoring, and (viii) securing legacy systems and equipment.
  • Mobile Security. OCIE cautioned that mobile devices and applications may create additional vulnerabilities. To mitigate the risk, OCIE recommended (i) establishing effective policies and procedures, (ii) managing the use of mobile devices by utilizing a mobile device management (or "MDM") application, (iii) enforcing multifactor authentication (or "MFA") for security purposes, and (iv) providing training for employees.
  • Incident Response and Resiliency. OCIE identified timely detection and the assessment of appropriate corrective actions as key factors of an organization's incident response. Notably, OCIE also emphasized the importance of a business continuity and resiliency component to allow the organization to quickly recover and safely serve clients.
  • Vendor Management. OCIE highlighted several practices and policies used by organizations within the vendor management area of their business. These include (i) establishing a program that ensures vendors satisfy security requirements, (ii) ensuring that all parties have a shared understanding of how risk and security issues are addressed, and (iii) monitoring the vendor relationship.
  • Training and Awareness. OCIE listed (i) the implementation of policies and procedures, (ii) phishing exercises and examples, and (iii) employee attendance at trainings as key components of an organization's cybersecurity program.


These observations from OCIE are the latest indicator that the staff has been focused intently on cybersecurity and the vulnerability of customer information for SEC registrants who fail to implement adequate policies, procedures and controls. While not authoritative, these observations, together with other cybersecurity-related resources issued by OCIE in recent years, should be used to better understand what regulators expect in terms of data loss prevention, incident response and the handling of third party vendors. Ignore them at your peril.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.