On January 27th, 2020, the Securities and Exchange Commission ("SEC") Office of Compliance Inspections and Examinations ("OCIE") released: OCIE Cybersecurity and Resiliency Observations. This report identifies industry practices related to managing and combating cybersecurity risks and firms' continuing ability to adapt when faced with cybersecurity threats. These observations are based on thousands examinations of broker-dealers, investment advisers, and other SEC registrants.
OCIE identified cybersecurity management practices in the areas of:
- Governance and Risk Assessment
- Access Rights and Controls
- Data Loss Prevention
- Vendor Management
- Incident Response
The most notable change is the addition of the new mobile security category.
Below we provide some additional detail on the latest areas of SEC cybersecurity focus:
1. Governance and risk management
OCIE notes that effective cybersecurity programs incorporate a governance and risk management program that includes: "(i) a risk assessment to identify, analyze, and prioritize cybersecurity risks to the organization; (ii) written cybersecurity policies and procedures to address those risks; and (iii) the effective implementation and enforcement of those policies and procedures."
OCIE has observed risk management and governance measures such as:
- Senior Level Engagement
- Risk Assessment
- Policies and Procedures
- Testing and Monitoring
- Continuously Evaluating and Adapting to Changes
2. Access rights and controls
Access rights and controls refer to allowing or limiting access to devices and systems only to those in the organization who are authorized to access data within those systems based on the users job responsibilities. According to OCIE, "Access controls generally include: (i) understanding the location of data, including
client information, throughout an organization; (ii) restricting access to systems and data
to authorized users; and (iii) establishing appropriate controls to prevent and monitor for
OCIE observed user access, access management, and access monitoring at organizations that have access rights and controls strategies.
3. Data loss prevention
Data loss prevention refers to the sets of tools and processes used to prevent the misuse or unauthorized access of sensitive data or non-public information ("NPI"). Data loss prevention measures utilized by organizations include:
- Vulnerability Scanning
- Perimeter Security
- Detective Security
- Patch Management
- Inventory Hardware and Software
- Encryption and Network Segmentation
- Insider Threat Monitoring
- Securing Legacy Systems and Equipment
4. Mobile security
As mobile devices add additional layers of vulnerabilities, it is critical that proper security measures are put in place to mitigate the risk of cyber attacks via mobile devices and applications. At organizations using mobile devices and applications OCIE has observed the following security measures:
- Policies and Procedures
- Managing the Use of Mobile Devices
- Implementing Security Measures
- Training Employees
5. Incident response and resiliency
As stated by OCIE, "Incident response includes: (i) the timely detection and appropriate disclosure of material
information regarding incidents; and (ii) assessing the appropriateness of corrective actions
taken in response to incidents" OCIE notes that business continuity and resiliency are integral components of an effective incident response plan.
- Development of a Plan
- Addressing Applicable Reporting Requirements
- Assigning Staff to Execute Specific Areas of the Plan
- Testing and Assessing the Plan
- Maintaining an Inventory of Core Business Operations and Systems
- Assessing Risks and Prioritizing Business Operations
- Considering Additional Safeguards
6. Vendor management
As firms increasingly rely on third-party vendors to manage business operations, vendor management is a critical area of focus within a firm's cybersecurity program. Policies and procedures related to vendor management should address due-diligence, overseeing vendors, ongoing risk assessment of vendors, and the vendors access and protection of sensitive information.
The following vendor management practices were observed by OCIE:
- Vendor Management Program
- Understanding Vendor Relationships
- Vendor Monitoring and Testing
7. Training and awareness
After creating policies and procedures around cybersecurity, its important that employees are aware of the cyber threats presented, their responsibilities within the cybersecurity program, and are equipped to respond to cybersecurity events.
In the area of cybersecurity training and awareness, OCIE observed the following practices:
- Policies and Procedures as a Training Guide
- Including Examples and Exercises in Trainings
- Training Effectiveness
Overall, the three primary types of cybersecurity risk for investment advisers as supported by OCIE's oberservations are people, technology, and vendors. It is important that firms focus on these primary areas when creating and implementing cybersecurity policies and procedures. The MyRIACompliance™ Cybersecurity Platform helps RIA firms address each of the above cybersecurity practice management areas by helping your firm create custom cybersecurity policies and procedures, control access rights, train and test staff, manage vendors, and respond to cybersecurity incidents.