Skip to main content
Top Button
U.S. Securities & Exchange Commission Publishes “Cybersecurity and Resiliency Observations” U.S. Securities & Exchange Commission Publishes “Cybersecurity and Resiliency Observations”

U.S. Securities & Exchange Commission Publishes “Cybersecurity and Resiliency Observations”

On January 27, 2020, the U.S. Securities and Exchange Commission’s (“SEC’s”) Office of Compliance Inspections and Examinations (“OCIE”) issued examination observations related to cybersecurity and operational resiliency practices taken by market participants. Drawing on thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges, and other SEC registrants, OCIE summarized its observations with a focus on seven broad topics: (1) governance and risk management; (2) access rights and controls; (3) data loss prevention; (4) mobile security; (5) incident response and resiliency; (6) vendor management; and (7) training and awareness. Emphasizing that cybersecurity is a key priority for OCIE, the report also acknowledged there is no “one-size fits all” approach and all of the practices discussed in the report may not be appropriate for all organizations. However, organizations will want to closely review these observations and consider adopting measures that are appropriate for them under the circumstances.

In particular, the examination observations highlight the need for the right tone at the top in ensuring an effective cybersecurity program. Written cybersecurity policies and procedures are essential, but they are likely not enough. The report emphasizes that an effective cybersecurity program will also include risk assessment to identify cybersecurity risks, testing and monitoring to validate the effectiveness of those policies, and continuous evaluations and adapting to changes. Organizations should also adopt and implement an incident response plan that addresses both business continuity and resiliency—in other words, how quickly an organization could recover after a cybersecurity incident and again safely serve clients.

Also noteworthy was the report’s focus on data loss prevention and third-party vendors. OCIE noted it has observed several data loss prevention measures utilized by organizations, including vulnerability scanning, perimeter security, detective security, patch management, inventory hardware and software, encryption and network segmentation, insider threat monitoring, and security legacy systems and equipment. An effective cybersecurity program will consider whether these measures should be adopted. In addition, the report focuses on the practices and controls related to vendor management. Organizations should have vendor management programs in place that ensure vendors are meeting security requirements, are appropriately safeguarding against cybersecurity risks, and are continuously monitored and tested.

OCIE’s press release and a copy of the examination observations can be found here:

For more information on cybersecurity, contact Matt Fornshell, Meredith Wood or another member of our Securities Litigation and Regulation Group.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
View Full Site View Mobile Optimized