SEC Publishes Cybersecurity and Resiliency Best Practices
- Senior Level Engagement. Devoting appropriate board and senior leadership attention to setting the strategy of and overseeing the organization’s cybersecurity and resiliency programs.
- Risk Assessment. Developing and conducting a risk assessment process to identify, manage, and mitigate cyber risks relevant to the organization’s business. This includes considering the organization’s business model, as part of defining a risk assessment methodology, and working to identify and prioritize potential vulnerabilities, including remote or traveling employees, insider threats, international operations and geopolitical risks, among others.
- Policies and Procedures. Adopting and implementing comprehensive written policies and procedures addressing the areas discussed below and identified risks.
- Testing and Monitoring. Establishing comprehensive testing and monitoring to validate the effectiveness of cybersecurity policies and procedures on a regular and frequent basis. Testing and monitoring can be informed based on cyber threat intelligence.
- Continuously Evaluating and Adapting to Changes. Responding promptly to testing and monitoring results by updating policies and procedures to address any gaps or weaknesses and involving board and senior leadership appropriately.
- Communication. Establishing internal and external communication policies and procedures to provide timely information to decision makers, customers, employees, other market participants, and regulators as appropriate.