On January 27, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a report entitled Cybersecurity and Resiliency Observations.1
The report summarizes industry practices for combatting cybersecurity risks, and maintaining and enhancing operational resiliency, based on thousands of OCIE examinations of broker-dealers, investment advisers, clearing agencies, and national securities exchanges. In releasing the report, OCIE emphasized that the SEC has focused on cybersecurity for years, including with the creation, in 2017, of the Cyber Unit within its Division of Enforcement, that cybersecurity is a key examination priority for OCIE, and that is has published eight cybersecurity-related risk alerts to date.2 In the accompanying press release, OCIE’s Director, Peter Driscoll, stated, “We felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cybersecurity practices.”3
The report calls the practices it discusses “observations,” introduces them with the caveat that there is no such thing as a one-size-fits-all approach to cybersecurity, and terms like “best practices” and “recommendations” are avoided. However, as a practical matter, it is difficult to read the report as anything other than OCIE’s views on industry best practices for cybersecurity preparedness and operational resiliency. As such, it should be an important reference point for all SEC registrants in designing, maintaining, and enhancing their own cybersecurity programs.
The report’s primary focus areas are:
- Governance and risk management;
- Access rights and controls;
- Data loss prevention;
- Mobile security;
- Incident response and resiliency;
- Vendor management; and
- Training and awareness.
The report stresses that a “key element” of effective cybersecurity programs is a governance and risk management program that includes: “(i) a risk assessment to identify, analyze, and prioritize cybersecurity risks to the organization; (ii) written cybersecurity policies and procedures to address those risks; and (iii) the effective implementation and enforcement of those policies and procedures.” OCIE encourages board and/or senior leadership attention to setting strategy and overseeing cybersecurity and resiliency programs. It further encourages routine and comprehensive testing and monitoring to validate the effectiveness of cybersecurity policies and procedures.
In the past, the SEC has emphasized having reasonably designed cybersecurity policies and procedures in place, training, and testing. A substantial portion of the new report is devoted to incident response and resiliency. In OCIE’s view, firms should have risked-based response plans for various scenarios, e.g., denial of service attacks, malicious disinformation, and ransomware, including “extreme but plausible scenarios,” and test their plans and potential recovery times. Furthermore, OCIE stresses maintaining an inventory of core business operations and systems, understanding the impact on services from a system failure, determining which systems are capable of being substituted during a disruption, and ensuring geographic separation of back-up data. In the event an incident occurs, a firm should assess its response plan, and actual response, after the fact, to determine whether changes are needed.
SEC registrants should read the report carefully. We anticipate OCIE staff will view the adequacy of firms’ cybersecurity programs with a more critical eye going forward. We expect OCIE will want to see cybersecurity programs reasonably tailored to firms’ business that include:
- Formal policies and procedures;
- A current inventory of critical information technology assets;
- Cybersecurity training;
- Periodic risk assessments;
- Routine monitoring and testing;
- A robust incident response plan that is regularly tested; and
- Encryption of all confidential data —all the more so in the unfortunate event of a cyber-attack, intrusion, or other incident.
Many firms will look to vendors to meet their cybersecurity needs. In doing so, as emphasized by OCIE, firms should ensure vendors meet industry standards, including the functions observed in the report, conduct ongoing diligence to ensure such standards are met, and have procedures in place for terminating or replacing vendors.
Please contact your primary attorney at Seward & Kissel if you have any questions or want any assistance with your firm’s cybersecurity program.
1 OCIE, Cybersecurity and Resiliency Observations (Jan. 27, 2020), https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf.
2 See Safeguarding Customer Records and Information in Network Storage—Use of Third Party Security Features (May 23, 2019), https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Network%20Storage.pdf; Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P— Privacy Notices and Safeguard Policies (Apr. 16, 2019), https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf; Observations from Investment Adviser Examinations Relating to Electronic Messaging (Dec. 14, 2018), https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Electronic%20Messaging.pdf; Observations from Cybersecurity Examinations (Aug. 7, 2017), https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf; Cybersecurity: Ransomware Alert (May 17, 2017), https://www.sec.gov/files/risk-alert-cybersecurity-ransomware-alert.pdf; OCIE’s 2015 Cybersecurity Examination Initiative (Sept. 15, 2015), https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf; Cybersecurity Examination Sweep Summary (Feb. 3, 2015), https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf; and Investment Adviser Use of Social Media (Jan. 4, 2012), https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf.
3 See SEC Office of Compliance Inspections and Examination Publishes Observations on Cybersecurity and Resiliency Practices (Jan. 27, 2020), https://www.sec.gov/news/press-release/2020-20.