SEC Releases Results of Cybersecurity and Resiliency Practices Examinations

The SEC’s Office of Compliance Inspections and Examinations (OCIE) published a new report on the findings from examining the methods used by market participant organizations.

It’s nice to both understand what your peer organizations are doing, as well as get a nod from a governing body that the measures being taken by your own organization are up to par and meet compliance guidelines. The SEC’s OCIE recently released a set of observations gathered through examinations of SEC-registered investment advisers, investment companies, broker-dealers, self-regulatory organizations, clearing agencies, transfer agents, and other relevant organizations.

In it, they cover a wide range of areas related to cybersecurity, including Governance and Risk Management, Access Rights and Control, Data Loss Prevention, Mobile Security, Incident Response and Resiliency, Vendor Management, and Training and Awareness.

For each aspect, OCIE spells out the best practices they observed across a wide range of organizations subject to the SEC.

Some of the more notable (and less traveled) practices, include:

• Vulnerability Scanning – proactively and routinely scanning systems, applications, and code for vulnerabilities that need to be patched.
• Testing and Monitoring of Policies and Procedures – seeks to understand the effectiveness of cybersecurity policies and procedures in the changing face of threats.
• Insider Threat Monitoring – with most organizations focused on external threats, the SEC sees the value in also looking inward.
• Building a Security Culture – leveraging Security Awareness Training, organizations need to continually educate users how to identify and respond to attacks and breaches.

With the overlying theme being one of using a layered security strategy, OCIE’s report promotes an implementation that protects an organization’s perimeter, systems, applications, privileged access, data ingress/egress, devices, and users.