SEC Releases Cybersecurity Observations and Guidance - The SEC's Office of Compliance Inspections and Examinations ("OCIE") released a report detailing its cybersecurity and resiliency observations, which may suggest benchmarks for future inspections and could inform possible enforcement determinations.

Jones Day

Jones Day

On January 27, 2020, OCIE issued a report detailing cybersecurity and resiliency observations the staff made after "thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges, and other SEC registrants." The report offers a snapshot of current market practices in seven key areas:

  1. Governance and Risk Management
  2. Access Rights and Controls
  3. Data Loss Prevention
  4. Mobile Security
  5. Incident Response and Resiliency
  6. Vendor Management
  7. Training and Awareness.

Going Beyond Written Policies to Continuously Implemented Practices

The report stressed the need for something more than the one-time establishment of policies and procedures and instead encouraged organizations to engage in continual testing and monitoring for compliance, as well as periodic risk assessments of threats and safeguards. Other observed policies and procedures outlined in the report include those pertaining to user access management, vulnerability and perimeter scanning, encryption and network segmentation, mobile device management applications, incident response planning and testing, vendor management programs, training and awareness, and others.


Enforcement actions to date have generally focused on regulated entities that maintained what the agency viewed as inadequate cybersecurity policies and procedures under Regulations S-P and S-ID. And in its 2020 Examination Priorities and earlier statements, OCIE has consistently identified governance and risk assessment, access rights and control, data loss prevention, vendor management, training, and incident response as key areas of focus. In the recent report, OCIE added mobile security as an additional stand-alone area of focus.

The report notes that "there is no such thing as a 'one-size fits all' approach." Because the report identifies what OCIE has favorably observed in recent examinations of cybersecurity programs, however, the observations may suggest benchmarks for future inspections and could inform possible enforcement determinations.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jones Day | Attorney Advertising

Written by:

Jones Day

Jones Day on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.