Guidance from OCIE on Cybersecurity

On January 27, 2020, the Office of Compliance Inspections and Examinations (“OCIE”) released a report, Cybersecurity and Resiliency Observations (the “Report”), which outlines its examination findings over the past several years. OCIE has been reviewing cybersecurity practices at firms under its examination authority since 2012, conducting at least three specific targeted exams of investment advisers. During that time, it issued eight Risk Alerts related to cybersecurity.

This new Report is based upon exam findings from broker-dealers, investment advisers, clearing agencies, national securities exchanges, investment companies and other SEC registrants over the past several years. It represents best practices discovered and observations made while conducting thousands of examinations.

Seven topics are highlighted in the Report, many of which have already been addressed in the various risk alerts released and include the following best practices:

  • Governance and Risk Management – Senior management involvement, board oversight, and the communication process around events should happen both internally and externally (as applicable) and be addressed in policies.
  • Access Rights and Controls – Limit system access and monitor access to “an as needed basis” and via multi-factor authentication protocols.
  • Data Loss Prevention – Prevention measures via vulnerability scans, patching, network segmentation, threat monitoring, and safe disposal of legacy equipment are good practices.
  • Mobile Security – Firms should have Mobile Device Management (MDM) apps installed to control electronic communications and data storage.
  • Incident Response and Resiliency – Written Incident Response Plans should be in place that include testing and assessing the plan regularly. A reporting process should be in place based on the type and level of severity of an incident.
  • Vendor Management – A written Vendor Management Program should include a mapping of vendor relationships and how they are monitored and tested for compliance with data protocols.
  • Training and Awareness – Staff training is crucial so employees can identify and properly mitigate cyber threats; training should include examples and specific exercises such as phishing attempts to test effectiveness of training.

Generally, the Report does not provide new information, but puts OCIE’s findings and observations over time in one place and provides a good summary of what firms need to include in cybersecurity programs.

View the OCIE “Cybersecurity and Resiliency Observations Report”