I. SUMMARY

On January 27, the Securities and Exchange Commission's ("SEC") Office of Compliance Inspections and Examinations ("OCIE") published a report on its observations of cybersecurity and resiliency practices in securities and financial markets.1 Developed through its examinations of thousands of broker-dealers, investment advisors, clearing agencies, national securities exchanges, and other SEC registrants, the OCIE's observations laid out its views on industry best practices and focused its attention on challenges and risks arising from:

  • governance and risk management;
  • access rights and controls;
  • data loss prevention;
  • mobile security;
  • incident response and resiliency;
  • vendor management; and
  • training and awareness.

As the OCIE more generally observed, technology has become increasingly vital for markets, market participants, and their vendors, and cybersecurity threats are likewise becoming progressively more sophisticated and aggressive. Information security has therefore become a key element in the OCIE's examination program over the past eight years, and the OCIE hopes these observations will assist market participants in considering how to enhance cybersecurity preparedness and operational resiliency.

II. GOVERNANCE AND RISK MANAGEMENT

The OCIE's focus on governance emphasizes a "tone at the top" on cyber risks, "with senior leaders who are committed to improving their organization's cyber posture through working with others to understand, prioritize, communicate, and mitigate cybersecurity risks." The OCIE expects organizations to implement appropriate cybersecurity programs and processes, including (i) regular risk assessments to identify, analyze, and prioritize cybersecurity risks to an organization, (ii) written cybersecurity policies and procedures to address those risks, and (iii) operations for actively monitoring information security systems to detect procedure violations and optimize enforcement of those policies and procedures.

The OCIE states several measures taken by organizations in this area. First, organizations generally have board and senior level leadership and attention in setting strategy and overseeing the cybersecurity programs. Second, organizations have developed a process to identify, manage, and mitigate risks while considering potential vulnerabilities specific to the organization's business model, such as remote or traveling employees, insider threats, and international operations, especially with the proliferation of threats from sophisticated and well-resourced state actors. Next, organizations have established comprehensive written policies and procedures with respect to all practice areas outlined. Lastly, organizations consistently test and monitor the procedures, evaluate and adapt policies and procedures to address weaknesses, and communicate promptly with decision makers, customers, employees, market participants, and regulators.

III. ACCESS RIGHTS AND CONTROLS

Access rights and controls need to identify and control physical and electronic access to an organization's systems based on the users' job responsibilities with the objective to regulate access for authorized users in ways that are both practical and secure. The OCIE states that effective access rights and controls require understanding the location of specific systems and data, restricting access to authorized users, and implementing appropriate controls to prevent and monitor unauthorized access. Multi-factor authentication continues to be a key element of secure access control.

The OCIE classifies several strategies based on its observations. One strategy is to determine who needs legitimate authorized access to what sensitive systems and data and then require periodic account reviews to confirm. Second, organizations need to develop systems and procedures for access management. This includes (i) limiting access as appropriate, such as during onboarding, transfers, and terminations, (ii) having a separation of duties for approvals to user access, (iii) re-certifying user access rights periodically, (iv) requiring strong passwords and periodic password changes, (v) requiring multi-factor authentication, and (vi) promptly revoking system access for employees who no longer need access. Third, organizations need to monitor access and develop procedures to review failed attempts and lockouts, ensure the proper handling of requests for unusual changes to the system hardware and software, such as login credentials, and approve such changes and investigate anomalies as required.

IV. DATA LOSS PREVENTION

Data loss prevention requires employing apt tools and processes to ensure that an organization's sensitive data is not lost, misused, or accessed without authorization. The OCIE observes the following key strategies in this area. The first is vulnerability scanning, which calls for routine scans to detect possible vulnerabilities in software code, web applications, servers and databases, workstations, and endpoints. Another is enacting perimeter security, which provides methods to control, monitor, and inspect all network traffic, such as fire walls and intrusion detection systems, or uses enterprise data loss prevention solutions to monitor access to personal email, cloud sharing services, social media, and removable storage devices. Organizations can also use detective security, which uses technology to detect fraudulent communications in progress. Encryption and network segmentation are other common methods; the former encrypts all data internally and externally, both "in motion" and "at rest," while the latter implements segmentation across networks and systems and configures access-control lists to limit data availability across systems. Insider threat monitoring programs increase the frequency of testing, create rules to identify and block transmission of sensitive data, and take corrective actions based on the results. The OCIE furthermore identifies other methods such as patch management programs, maintenance of critical hardware and software inventory, and securing and disposing of legacy hardware and software

V. MOBILE SECURITY

The OCIE states that mobile device access can create a variety of security risks, particularly where a bringyour-own-device policy is in place. Mobile devices can be managed using fully compatible mobile device management applications, or other similar technology, for an organization's internal tools such as emails, calendar, data storage, and others. Other mobile security measures include multi-factor authentication, controls for preventing printing, copying, pasting, or saving information to personal devices, and the ability to remotely clear data and content from devices. Lastly, establishing mobile-specific policies and procedures and training employees on such policies and procedures are essential.

To view the full article click here.

Originally published by Cahill, March 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.