OCIE Provides Cybersecurity Best Practices Identified in Examinations

Cybersecurity has been a key priority for the SEC and its Office of Compliance Inspections and Examinations (OCIE) in recent years. The OCIE regularly releases publications addressing cybersecurity risks and practices, including eight risk alerts related to cybersecurity since 2012.

In the latest example, OCIE recently published its Cybersecurity and Resiliency Observations Report, describing 34 best practices culled from its assessment of thousands of past examinations of SEC registrants.

In this client alert, we highlight the top ten controls recommended in the report that have been relevant in cybersecurity matters that we have handled for our clients:

1. Risk Assessment: Develop and conduct a risk assessment process to identify, manage and mitigate cyber risks, such as remote or traveling employees, insider threats, international operations and geopolitical risks. 

2. Access Monitoring: Develop procedures to monitor user access (including failed login attempts and account lockouts), and ensure proper handling of customers’ requests for credential changes as well as proper authentication of anomalous or unusual customer requests.

3. Detective Security: Implement capabilities that can detect threats on endpoints, such as software that prevents and detects malware (utilizing both signature and behavioral-based capabilities) and identifies incoming fraudulent communications. Establish policies and procedures to capture and keep system logs for aggregation and analysis. For software that provides automated actions (e.g., macros, scripts), enable optional security features or follow security guidance offered by third party software providers.

4. Patch Management: Establish a patch management program covering all software (whether it be developed in-house, custom off-the-shelf or other third party software) and hardware, including anti-virus and anti-malware installation.

5. Insider Threat Monitoring: Create an insider threat program to identify suspicious behaviors. Create rules to identify and block the transmission of sensitive data (e.g., account numbers, social security numbers, trade information) outside of the organization.

6. Implement Mobile Security Measures: Require the use of multi-factor authentication for all internal and external users. Take steps to prevent saving information to personally owned devices. Ensure the ability to remotely clear data and content from lost devices or a device that belongs to a former employee.

7. Test and Assess the Incident Response Plan: Using methods such as tabletop exercises, test the incident response plan and potential recovery times. If an incident occurs, conduct a post-incident debrief by assessing the registrant’s response to the incident to determine whether any changes to the procedures are necessary.

8. Additional Incident Response Safeguards: Consider maintaining back-up data in a different network and offline, and evaluate whether cybersecurity insurance is appropriate for the business.

The insurance market for cybersecurity remains a moving target. We recommend that advisers shop for cyber insurance and, to put the best possible program together, it will be helpful to adopt and implement the best practices.

9. Vendor Monitoring and Testing: Monitor vendor relationships to ensure that vendors continue to meet security requirements and to be aware of changes to a vendor’s services or personnel.

10. Policies and Procedures as a Training Guide: Train staff to implement the organization’s cybersecurity policies and procedures, and engage staff to build a culture of cybersecurity readiness and operational resiliency.

Compliance officers should note the measures and best practices described in OCIE’s report since they provide an insight into OCIE’s cybersecurity expectations and what regulators are looking for. Firms should aim to operate in a way that meets these expectations, so that they are prepared not only in the event of an examination, but also if they have a security incident.

While best practices are not law, over the years we have seen many deficiency letters for advisers who have not recognized that best practices quickly become the equivalent of agency policy. Cybersecurity appears to be a trend in the same vein, and thoughtful firms, accordingly, will address the best practices.

Unlike other compliance areas, where one size seems to fit all, cybersecurity absolutely is an area requiring customization. Merely copying another firm’s compliance manual, or website posting, is a recipe for disaster. During an inspection, OCIE staff can be expected to review cyber policies and confirm compliance, so firms should be careful and thoughtful about what becomes codified as policy and then take all steps to adhere to it (and monitor it).