The Office of Compliance Inspections and Examinations of the Securities and Exchange Commission released cybersecurity and resiliency-related examination observations on January 27, 2020, based on “thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants” (collectively, market participants). OCIE’s recorded observations (2020 Examination Observations) – which OCIE is providing “to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency” – identify practices taken by market participants in seven key areas:
- Governance and risk assessment;
- Access rights and controls;
- Data loss prevention;
- Mobile security;
- Incident response and resiliency;
- Vendor management; and
- Training and awareness.
For a number of years, OCIE has identified cybersecurity as a key risk for market participants, and cybersecurity has been a consistent area of focus in OCIE’s examination program. In September 2015, OCIE issued a National Exam Program Risk Alert,1 which focused on its cybersecurity examination initiative and identified six exam priorities for cybersecurity preparedness. It is notable that the areas of focus identified in the 2015 cybersecurity risk alert are the same as six of the seven key areas identified in the 2020 Examination Observations. This is not surprising, as these consistently have been the SEC’s areas of focus with respect to routine and cybersecurity-focused examinations. Enforcement brought under Regulation S-P also has been linked to these same areas of focus. OCIE’s 2020 Examination Observations provide a benchmark of industry standards that market participants can use to address the key cybersecurity risk areas that OCIE has identified in recent years.
This Dechert OnPoint summarizes each of the key areas identified in the 2020 Examination Observations and highlights OCIE’s recommendations to market participants.
Governance and Risk Management
OCIE observed that an effective cybersecurity program “generally includes, among other things: (i) a risk assessment to identify, analyze, and prioritize cybersecurity risks to the organization; (ii) written cybersecurity policies and procedures to address those risks; and (iii) the effective implementation and enforcement of those policies and procedures.”
OCIE identified the following practices that market participants were using to address cybersecurity issues through governance and risk management programs:
- Ensuring appropriate senior level engagement in setting and overseeing the cybersecurity program;
- Developing and conducting appropriate cybersecurity risk assessments that prioritize specific vulnerabilities and risks;
- Developing and implementing “comprehensive written policies and procedures”;
- Performing testing and security monitoring;
- Assessing and updating cybersecurity policies in response to any identified “gaps or weaknesses” and involving boards and senior-level individuals where relevant; and
- Instituting effective communication plans to ensure that information is shared appropriately with all relevant parties.
Access to Rights and Controls
OCIE indicated that access and control policies “generally include: (i) understanding the location of data, including client information, throughout an organization; (ii) restricting access to systems and data to authorized users; and (iii) establishing appropriate controls to prevent and monitor for unauthorized access.” OCIE noted that market participants have implemented specific access management strategies, including: instituting multi-factor authentication, and limiting access based on individuals’ current role within the organization (including at the time of “onboarding, transfers and terminations”).
Data Loss Prevention
OCIE identified a number of security measures used by market participants to prevent data loss, including:
- Routinely conducting vulnerability scanning;
- Establishing appropriate perimeter security controls to assess “incoming and outgoing network traffic” in order to limit “unauthorized or harmful traffic,” including through the use of “firewalls, intrusion detection systems, email security capabilities, and web proxy systems with content filtering”;
- Implementing appropriate security systems to detect incoming security threats;
- Using patch management programs that cover both software and hardware, whether internal or external;
- Keeping an inventory of the hardware and software used and how each type is protected;
- Using encryption tools for data in transit and at rest;
- Establishing an “insider threat program” to detect suspicious behavior, conduct security testing, and restrict the onward communication of sensitive or confidential information; and
- Removing sensitive data from decommissioned hardware or software and conducting regular risk assessments as hardware or software is replaced with new technologies.
This is the single key area OCIE identified in the 2020 Examination Observations that was not previously included as a focus in OCIE’s 2015 Cybersecurity Risk Alert. OCIE observed that mobile devices create unique cybersecurity concerns and identified certain measures that organizations have implemented to address these concerns, including:
- Establishing appropriate policies and procedures for the use and security of mobile applications;
- Creating “mobile device management” (MDM) programs that can be integrated with employees’ personal devices when used for company business;
- Implementing security measures, including multi-factor authentication and the ability to remotely clear data from mobile devices; and
- Conducting appropriate employee training regarding the use of mobile technology.
Incident Response and Resiliency
OCIE explained that incident response includes: “(i) the timely detection and appropriate disclosure of material information regarding incidents; and (ii) assessing the appropriateness of corrective actions taken in response to incidents.” Based on OCIE’s observations, an effective incident response plan should consider not only the organization’s response to an incident, but also the organization’s resiliency in terms of how quickly it can recover from such an incident.
OCIE observed that many market participants with incident response plans include the following components or considerations:
- Developing an incident response plan based on various scenarios, particularly in light of prior incidents and anticipated cybersecurity threats;
- Determining relevant federal and state incident reporting requirements and notifying the relevant authorities and impacted stakeholders following a security incident;
- Assigning employees with appropriate roles to respond during a cybersecurity incident; and
- Routinely testing the incident response plan and re-assessing the plan’s effectiveness following an actual security incident.
In order to ensure appropriate business continuity and resiliency in response to a security incident, OCIE observed that market participants have identified essential business services and assessed the potential impact if a business system or process is unavailable due to a cybersecurity incident. In developing a resiliency strategy, OCIE observed that organizations have considered the following measures: “(i) determining which systems and processes are capable of being substituted during disruption so that business services can continue to be delivered; (ii) ensuring geographic separation of back-up data and avoid concentration risk; and (iii) the effects of business disruptions on both the institution’s stakeholders and other organizations.”
OCIE observed that cybersecurity programs “generally include the policies and procedures related to: (i) conducting due diligence for vendor selection; (ii) monitoring and overseeing vendors, and contract terms; (iii) assessing how vendor relationships are considered as part of the organization’s ongoing risk assessment process as well as how the organization determines the appropriate level of due diligence to conduct on a vendor; and (iv) assessing how vendors protect any accessible client information.”
OCIE observed market participant practices of: relying on questionnaires and independent audits to ensure vendors implement appropriate security measures; implementing procedures for removing or replacing vendors if vendors do not adequately fulfill their security commitments; and continuously monitoring vendors to ensure they fulfill their security obligations and identify any changes in the vendor’s personnel or services. OCIE also observed that market participants have reviewed the terms of their vendor agreements in order to understand how cybersecurity risk is addressed, and to understand any risks associated with using third-party service providers (particularly cloud-based service providers, which was the subject of a May 2019 OCIE Risk Alert).2
Training and Awareness
OCIE identified employee training as a “key component” of an effective cybersecurity program. OCIE observed that market participants are engaging in the following practices:
- Training employees as to the implementation of cybersecurity policies and procedures;
- Building a culture among employees of “cybersecurity readiness and operational resiliency”;
- Providing specific training exercises, including trainings to help employees recognize phishing emails, respond to incident breaches, and respond to suspicious activities; and
- Continually monitoring employee attendance in trainings and evaluating the effectiveness of employee trainings.
In light of the 2020 Examination Observations, market participants should:
- Continue to evaluate privacy policies and procedures against the key areas of focus the SEC Staff has routinely identified as examination priorities and reiterated again in the 2020 Examination Observations;
- Benchmark cybersecurity policies against the specific and technical industry practices identified in the 2020 Examination Observations, and consider whether certain mechanisms should be updated to align with approaches taken by other market participants and which were identified as positive by OCIE; and
- Pay particular attention to policies related to mobile devices and mobile device management, and consider whether additional security measures or safeguards should be implemented to address unique cybersecurity-related risks.
As OCIE has continued to focus on comparable key areas for a number of years, organizations that have not effectively updated their cybersecurity programs to robustly address these areas have now fallen behind. Organizations should therefore not only benchmark their practices against the 2020 Examination Observations, but also should circle back to ensure that their steps previously taken and policies implemented during prior cybersecurity reviews and initiatives remain consistent with current best practices. As OCIE stated, firms should be “continuously evaluating and adapting to changes.” In the fast-moving cybersecurity and privacy space, vendor provisions, disclosure statements and technical upgrades that may have been best-of-breed at the time of implementation may now appear outdated to regulators, clients and customers. Therefore, firms should use the reviews they conduct in relation to the 2020 Examination Observations as an opportunity to reaffirm their practices against OCIE expectations and industry practices.
1) Risk Alert, Office of Compliance Inspections and Examinations, OCIE’s 2015 Cybersecurity Examination Initiative (Sept. 15, 2015). For further information, please refer to Dechert OnPoints, The Good and the Bad from OCIE’s Cyber Examinations and What Firms Should Do Next and SEC Cybersecurity Examinations and Enforcement: What Broker-Dealers and Investment Advisers Need to Know.
2) Risk Alert, Office of Compliance Inspections and Examinations, Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features (May 23, 2019). For further information, please refer to Dechert OnPoint, OCIE Publishes Risk Alert regarding Safeguarding of Customer Information Stored on Cloud and Other Network Storage Solutions.