US SEC issues new guidance on Cybersecurity and Resiliency: Is your firm prepared?
While the SEC acknowledged that there is no “one-size fits all” approach, a recent discussion by its Office of Compliance Inspections and Examinations is a useful guide as to the industry practices and measures that OCIE may consider when assessing an organization’s cybersecurity preparedness and potential deficiencies. As in recent years, cybersecurity will continue to be a key element of OCIE’s examination program in 2020 and will likely remain an examination priority for years to come.
The Office of Compliance Inspections and Examinations of the U.S. Securities and Exchange Commission (recently published its Cybersecurity and Resiliency Observations to guide market participants in enhancing their cybersecurity preparedness and operational resiliency.
Based on its recent examinations of broker-dealers, investment advisers and other SEC registrants, OCIE identified certain measures and industry practices that, when implemented, OCIE believes can effectively combat cybersecurity risk.
Does your firm have a documented, tailored approach to governance and risk management?
Firms should conduct risk assessments to identify cybersecurity risks specific to their organizations (e.g., remote or traveling employees, insider threats, international operations and geopolitical risks).
Firms should also adopt and implement comprehensive written polices to address such risks and establish and conduct regular and frequent testing and monitoring of their cybersecurity policies and programs. If testing uncovers vulnerabilities, firms should respond promptly to address any gaps and weaknesses in their policies.
Senior leadership engagement
Finally, OCIE noted that active engagement from a firm’s senior leadership is a hallmark of an effective cybersecurity program. A firm’s senior leaders and board should therefore devote appropriate attention to understanding, prioritizing, communicating and mitigating cybersecurity risks.
How does your firm limit access rights and what internal controls are in place?
Firms should implement and actively monitor access controls that limit access to sensitive systems and data to those with a legitimate and authorized business need. Access should, among other things:
- be monitored, adjusted and terminated, as appropriate, during personnel onboarding, transfers and terminations
- be periodically recertified, particularly for users with elevated privileges
- require the use of strong and periodically changed passwords
- utilize multi-factor authentication, including through applications or key fobs that generate an additional verification code.
Firms should also monitor for failed login requests, account lockouts and requests for username and password changes.
How well do you know and trust your vendor’s data security practices to keep your firm’s data safe?
Firms should implement vendor management programs to engage and monitor vendors that meet requisite security requirements, including by leveraging questionnaires based on industry standards and arranging for independent audits.
Firms should also understand all vendor contract terms, including how responsibilities and expectations are allocated between the firm and the vendor, and to ensure that the firm has procedures in place to terminate or replace vendors as necessary.
Each vendor relationship should be re-evaluated on an ongoing basis to ensure that vendors are adapting to new cyber-threats and a firm’s evolving business.
Does your firm have a working incident response plan in the event of a breach, and when was it last tested?
Incident response plans
Firms should develop a risk-assessed incident response plan to address various cybersecurity breaches and other incidents (including, among other scenarios, denial of services attacks, malicious disinformation, ransomware and key employee succession).
Firms should implement, maintain and regularly test policies and procedures that address, among other things:
- timely notification and response if an event occurs
- a process to escalate incidents to the appropriate levels of management, including legal and compliance
- communication with key stakeholders, including notifying customers, clients and employees that their data is compromised.
Communication plans and training
Firms should have a plan in place to communicate with the appropriate regulatory authorities and to comply with any applicable reporting requirements. In addition, firms should designate and train employees for specific roles and responsibilities in the event of a cyber incident.
Finally, firms should assess vulnerabilities specific to their business operations and should consider implementing safeguards (e.g., back-up systems, geographic separation of back-up data, cyber insurance, etc.) to ensure the resiliency of core business operations and systems in the event of a cyber incident.
Are employees trained on and aware of the firm’s cybersecurity program?
OCIE identified employee training as a key component of an effective cybersecurity program. Firms should train staff on the implementation of the firm’s cybersecurity program, including by providing specific cybersecurity and resiliency training (e.g., phishing exercises and exercises to help employees identify and respond to indicators of suspicious behavior and breaches).
Firms should also monitor to ensure employees attend trainings and should re-evaluate and update trainings to account for new cyber threats.
Has your firm adopted adequate mobile device security policies, especially for BYODs?
Firms are encouraged to implement a mobile device management application or similar technology, including for email, calendar, data storage and other activities. Firms that utilize a “bring your own device” policy should ensure that their mobile device management solutions work with all mobile phone/device operating systems.
Firms should also implement additional security measures (e.g., multi-factor authentication, preventing the transmission of sensitive information to personally-owned computers, tablets and smartphones, and ensuring the firm’s ability to remotely clear data from lost devices or devices belonging to former employees). Firms should also ensure that personnel and employees are trained on mobile device policies and best practices.
What data security measures has your firm implemented to prevent data loss and breaches?
Firms should implement policies and procedures to ensure that sensitive information is not lost, misused or accessed by unauthorized users. Such policies and procedures include, among others:
- conducting routine scans of software code, web applications, servers, databases, workstations and endpoints within the firm and third-party providers
- implementing firewalls, intrusion detection systems, email security capabilities and web proxy systems
- monitoring access to personal email, cloud-based file sharing services, social media sites and removable media
- implementing capabilities that detect threats on endpoints, including products that can identify incoming fraudulent communications to prevent unauthorized software or malware from running
- establishing a patch management program covering all firm software and hardware, including anti-virus and anti-malware installation
- maintaining an inventory of all of the firm’s hardware and software
- utilizing encryption to secure data and systems
- implementing programs to identify and block the transmission of sensitive data (e.g., account numbers, social security numbers, trade information and source code)
- establishing procedures to ensure legacy hardware and software is decommissioned safely, including by removing sensitive information prior to disposal.
Is your firm’s cybersecurity program in line with industry practice?
Market participants must always consider their businesses’ resources and operational needs when developing and implementing an effective cybersecurity program. Nevertheless, the measures discussed in OCIE’s most recent guidance provide useful insight into the industry practices and measures OCIE is likely to consider and evaluate in future examinations.
While these measures are neither mandatory nor exhaustive, they are instructive and warrant particular attention. We recommend that U.S. firms review their cybersecurity programs with these core data security elements in mind and consider improvements before their next examination.