Last week, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) issued a list of recommendations for institutions to enhance their cybersecurity preparedness and operational resiliency. These observations – based upon the examination of thousands of SEC registrants – serve as a lens into the likely subjects of future SEC examinations.
As a nod toward the ever-evolving, increasingly sophisticated nature of cyber threats today, and a recognition that the best defense is often a good offense, the OCIE’s “Cybersecurity and Resiliency Observations” are largely preventative. These observations span the following categories: Governance and Risk Management; Access Rights & Controls; Data Loss Prevention; Mobile Security; Vendor Management; Training & Awareness; and – because preventative measures aren’t always successful – Incident Response and Resiliency.
Among the key highlights is an emphasis on strong infrastructural safeguards. To this end, the OCIE recommends that institutions develop risk assessment processes in order to identify the kinds of risk the institution is most susceptible to, and the vulnerabilities unique to their respective business models. This might include seemingly innocuous features of a modern work environment, such as system access by remote or traveling employees. It might also include other concerns, such as expanding business operations overseas, or potential insider threats, which can arise anywhere in an organization. To limit insider threats and unauthorized data access more generally, the OCIE recommends restricting access to sensitive information based upon job responsibilities. Under the OCIE’s proposal, only authorized employees could access sensitive systems and data, including client information. Internal controls could also be established to re-certify user rights on a periodic basis, and to prevent and monitor unauthorized access.
The OCIE also focuses on mobile security and vendor management. Specifically, the OCIE advises that companies use a mobile device management application, or similar technology, to prevent information from being copied or stored to personally owned smartphones, computers or other electronics. Multi-factor authentication is also recommended as an additional security measure. Additionally, the memo encourages organizations to develop a risk assessment process around vendor selection, and vet to vendors to ensure that they have their own data protection measures. As the SEC notes, some organizations have established a vendor management program to ensure their vendors meet specific security requirements, and implement appropriate safeguards.
To the extent that risk mitigation isn’t always successful, the memo also emphasizes the importance of developing a robust incident response plan that contemplates the kinds of data breaches the organization might encounter. Such a plan might include preestablished corrective action procedures to ensure that the business can recover and continue to function, as well as policies around timely notification and disclosure of information about the incident to the appropriate levels of management, key stakeholders, regulators, and clients, if necessary.
Despite heightened awareness around data security, no company is entirely safe, and it is imperative that organizations continue to develop and implement best practices to protect against these attacks.