SEC Announces 2021 Information Security Examination Priorities – Five (5) Steps Every Firm Should Take to Prepare!

McGuireWoods LLP

Information security is critical to the operation of the financial markets and the confidence of its participants. . . The Division is acutely focused on working with firms to identify and address information security risks, including cyber-attack related risk . . .” SEC Division of Examinations, 2021 Examination Priorities, at 24.

On March 3, 2021, the Securities and Exchange Commission’s newly renamed Division of Examinations (EXAMS) (formerly the Office of Compliance Inspections and Examinations (OCIE)) announced its 2021 examination priorities.  Information security and operational resiliency ranked number two out of the top five priorities sending a clear message that the SEC is focused on emergent security threats, particularly cyber-attacks, resulting from the sudden and unprecedented increase in remote operations.

In response to these threats, EXAMS has announced that it will focus its reviews on whether firms have taken appropriate security measures to:  (1) safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access;  (2) oversee vendors and service providers; (3) address malicious email activities, such as phishing or account intrusions; (4) respond to incidents, including those related to ransomware attacks; and (5) manage operational risk as a result of dispersed employees in a work-from-home environment.  In addition, access control issues related to investor account information when utilizing online and mobile apps is also on the EXAMS review radar for 2021, as well as the security of electronic storage of books and records and personally identifiable information maintained with third-party cloud service providers.  Also, expect an EXAMS review to include an evaluation of the firm’s policies and procedures related to the protection of investor records and information.  EXAMS has indicated that defensible policies and procedures are a key component to information security and will probably be in scope for routine reviews.

Firms can prepare for an EXAMs review by reevaluating their existing Information Security Policy, Incident Response Plan, Vendor Management Policy and employee training.  An internal assessment of of these policies and procedures for gaps in defensibility can be accomplished in five (5) steps.  First, examine the organization’s Information Security Policy to ensure there are standards for strong authentication procedures to prevent account intrusions and unauthorized access as well to manage remote employee access effectively and securely.  Second, assess whether the Incident Response Plan contains up to date, tested procedures to identify, contain, manage and remediate malicious phishing attempts, account intrusions and ransomware attacks.  Third, review the current Vendor Management Policy to verify that the guidance for identifying risky vendors is practical and comprehensive.  Fourth, also review the Vendor Management Policy to ensure that it documents the controls implemented to minimize vendor risk, particularly with regard to personally identifiable information.

Last, the importance of continuously training employees on cybersecurity cannot be overvalued.  Training is critical to reducing the harmful effects of cyberattacks and data breaches caused by human error.  Human beings are still the weakest link in every organization’s security plan.  By making employees aware of the scope of the threats, and what’s at stake if security fails, every firm can reduce its cyber exposure.  The dramatic surge in employees working from home has exponentially increased security incidents.  In a recent study by Barracuda Networks, 46 percent of respondents experienced at least one security incident since lockdown restrictions were implemented in 2020 and 51 percent saw an increase in email phishing attacks.

In summary, the EXAMs 2021 Examination Priorities related to information security provide good insight as to what firms can expect during a review.  By following the five (5) steps outlined above, firms can address cybersecurity issues proactively prior to a review.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McGuireWoods LLP | Attorney Advertising

Written by:

McGuireWoods LLP

McGuireWoods LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.