SEC Releases Cybersecurity Observations and Guidance - The SEC's Office of Compliance Inspections and Examinations ("OCIE") released a report detailing its cybersecurity and resiliency observations, which may suggest benchmarks for future inspections and could inform possible enforcement determinations.

Marjorie Duffy, Richard Martinez, Joan McKown, Lisa Ropple
Jones Day
Contact
LinkedIn
Facebook
X
Send
Embed

Jones Day

On January 27, 2020, OCIE issued a report detailing cybersecurity and resiliency observations the staff made after "thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges, and other SEC registrants." The report offers a snapshot of current market practices in seven key areas:

  1. Governance and Risk Management
  2. Access Rights and Controls
  3. Data Loss Prevention
  4. Mobile Security
  5. Incident Response and Resiliency
  6. Vendor Management
  7. Training and Awareness.

Going Beyond Written Policies to Continuously Implemented Practices

The report stressed the need for something more than the one-time establishment of policies and procedures and instead encouraged organizations to engage in continual testing and monitoring for compliance, as well as periodic risk assessments of threats and safeguards. Other observed policies and procedures outlined in the report include those pertaining to user access management, vulnerability and perimeter scanning, encryption and network segmentation, mobile device management applications, incident response planning and testing, vendor management programs, training and awareness, and others.

Implications

Enforcement actions to date have generally focused on regulated entities that maintained what the agency viewed as inadequate cybersecurity policies and procedures under Regulations S-P and S-ID. And in its 2020 Examination Priorities and earlier statements, OCIE has consistently identified governance and risk assessment, access rights and control, data loss prevention, vendor management, training, and incident response as key areas of focus. In the recent report, OCIE added mobile security as an additional stand-alone area of focus.

The report notes that "there is no such thing as a 'one-size fits all' approach." Because the report identifies what OCIE has favorably observed in recent examinations of cybersecurity programs, however, the observations may suggest benchmarks for future inspections and could inform possible enforcement determinations.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jones Day | Attorney Advertising

Written by:

Jones Day
Jones Day
Contact
more
less

Jones Day on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide