The U.S. Securities and Exchange Commission (SEC) has published guidance to help firms in the securities market enhance their cybersecurity preparedness and operational resiliency.
The observations highlight certain approaches taken by market participants in the areas of governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management and training and awareness. The observations highlight specific examples of cybersecurity and operational resiliency practices and controls that organizations have taken to potentially safeguard against threats and respond in the event of an incident.
“Data systems are critical to the functioning of our markets and cybersecurity and resiliency are at the core of OCIE’s inspection efforts,” said SEC Chairman Jay Clayton.  “I commend OCIE for compiling and sharing these observations with the industry and the public and encourage market participants to incorporate this information into their cybersecurity assessments.”
“Through risk-targeted examinations in all five examination program areas, OCIE has observed a number of practices used to manage and combat cyber risk and to build operational resiliency,’ said Peter Driscoll, Director of OCIE.  “We felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cybersecurity practices.”
For Governance and Risk Management, for example, the SEC recommends:
  • Senior Level Engagement. Devoting appropriate board and senior leadership attention to setting the strategy of and overseeing the organization’s cybersecurity and resiliency programs.
  • Risk Assessment. Developing and conducting a risk assessment process to identify, manage, and mitigate cyber risks relevant to the organization’s business. This includes considering the organization’s business model, as part of defining a risk assessment methodology, and working to identify and prioritize potential vulnerabilities, including remote or traveling employees, insider threats, international operations and geopolitical risks, among others.
  • Policies and Procedures. Adopting and implementing comprehensive written policies and procedures addressing the areas discussed below and identified risks.
  • Testing and Monitoring. Establishing comprehensive testing and monitoring to validate the effectiveness of cybersecurity policies and procedures on a regular and frequent basis. Testing and monitoring can be informed based on cyber threat intelligence.
  • Continuously Evaluating and Adapting to Changes. Responding promptly to testing and monitoring results by updating policies and procedures to address any gaps or weaknesses and involving board and senior leadership appropriately.
  • Communication. Establishing internal and external communication policies and procedures to provide timely information to decision makers, customers, employees, other market participants, and regulators as appropriate.
OCIE conducts examinations of SEC-registered investment advisers, investment companies, broker-dealers, self-regulatory organizations, clearing agencies, transfer agents, and others. It uses a risk-based approach to examinations to fulfill its mission to promote compliance with U.S. securities laws, prevent fraud, monitor risk and inform SEC policy.