SEC Releases Results of Cybersecurity and Resiliency Practices Examinations

Young male student with others writing notes in the classroomThe SEC’s Office of Compliance Inspections and Examinations (OCIE) published a new report on the findings from examining the methods used by market participant organizations.

It’s nice to both understand what your peer organizations are doing, as well as get a nod from a governing body that the measures being taken by your own organization are up to par and meet compliance guidelines. The SEC’s OCIE recently released a set of observations gathered through examinations of SEC-registered investment advisers, investment companies, broker-dealers, self-regulatory organizations, clearing agencies, transfer agents, and other relevant organizations.

In it, they cover a wide range of areas related to cybersecurity, including Governance and Risk Management, Access Rights and Control, Data Loss Prevention, Mobile Security, Incident Response and Resiliency, Vendor Management, and Training and Awareness.

For each aspect, OCIE spells out the best practices they observed across a wide range of organizations subject to the SEC.

Some of the more notable (and less traveled) practices, include:

  • Vulnerability Scanning – proactively and routinely scanning systems, applications, and code for vulnerabilities that need to be patched.
  • Testing and Monitoring of Policies and Procedures – seeks to understand the effectiveness of cybersecurity policies and procedures in the changing face of threats.
  • Insider Threat Monitoring – with most organizations focused on external threats, the SEC sees the value in also looking inward.
  • Building a Security Culture – leveraging Security Awareness Training, organizations need to continually educate users how to identify and respond to attacks and breaches.

With the overlying theme being one of using a layered security strategy, OCIE’s report promotes an implementation that protects an organization’s perimeter, systems, applications, privileged access, data ingress/egress, devices, and users.

Request A Demo: Security Awareness Training

products-KB4SAT6-2-1New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!

Save My Spot!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews