September 27, 2021

Volume XI, Number 270

Advertisement

September 27, 2021

Subscribe to Latest Legal News and Analysis

OCIE Provides Observations on Cybersecurity and Operational Resiliency Best Practices

On January 27, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission issued a statement summarizing its observations of cybersecurity and operational resiliency practices of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants (the Observations). In its introduction to the Observations, the OCIE staff notes that cybersecurity is a key priority for OCIE. Therefore, although the OCIE staff acknowledges that there is not a “one-size fits all” approach to addressing cybersecurity, it recommends that SEC registrants assess their cybersecurity practices in light of the Observations.

The recommendations of the Observations include the following:

  • Governance and Risk Management. OCIE observed that the key elements of effective governance and risk management programs include: 1) senior level engagement in setting the strategy and overseeing the cybersecurity and resiliency program; 2) developing and conducting risk assessments to identify and mitigate risks; 3) adopting and implementing comprehensive policies and procedures addressing cybersecurity; 4) establishing comprehensive testing and monitoring of cybersecurity policies and procedures; 5) responding promptly to testing and monitoring results; and 6) establishing internal and external communication policies and procedures to provide timely information to the appropriate parties.

  • Access Rights and Controls. OCIE observed that strategies for determining appropriate users for firm systems include: 1) understanding access needs; 2) managing and restricting users as appropriate; and 3) preventing, monitoring and investigating unauthorized access.

  • Data Loss Prevention. OCIE observed the use of the following data loss prevention measures: 1) establishing a vulnerability management program; 2) establishing perimeter security and monitoring network traffic; 3) implementing systems that provide detective security; 4) establishing a patch management program; 5) inventorying hardware and software; 6) securing data through encryption software and network segmentation; 7) creating an insider threat program to identify suspicious behaviors; and 8) decommissioning and disposing hardware and software in a manner that does not create vulnerabilities.

  • Mobile Security. OCIE observed that vulnerabilities related to the use of mobile devices and mobile applications may be mitigated by: 1) establishing policies and procedures for the use of mobile devices; 2) using a mobile device management application to manage a firm’s mobile device applications; 3) implementing security measures, which may include preventing printing, copying or saving information to personally owned devices and remotely clearing data and content from devices; and 4) training employees on policies and practices to protect mobile devices.

  • Incident Response and Resiliency. OCIE observed that incident response plans tend to include the following: 1) developing a risk-assessed incident response plan for various scenarios and maintaining procedures on appropriate notification, escalation and communication of cybersecurity incidents; 2) addressing how to meet applicable reporting requirements; 3) assigning staff to execute specific areas of the plan; and 4) testing the plan and recovery times. In addition, OCIE observed that addressing resiliency includes: 1) identifying and prioritizing core business services; 2) determining which systems can be substituted during disruption; 3) implementing geographic separation of back-up data; 4) considering the effects of business disruptions; and 5) potentially purchasing cybersecurity insurance.

  • Vendor Management. OCIE observed that proper vendor management includes: 1) conducting due diligence of vendors; 2) understanding vendor relationships and contract terms, along with the risks related to vendor outsourcing; and 3) monitoring vendor relationships to ensure that the vendor continues to meet security requirements and to be aware of changes to the vendor’s services or personnel.

  • Training and Awareness. OCIE observed that sound training practices include: 1) training staff to implement the firm’s policies and procedures and building a culture of cybersecurity readiness and operational resiliency; 2) providing cybersecurity examples and exercises, including phishing exercises and training on how to identify and respond to breaches and suspicious client behavior; and 3) monitoring training attendance and continuously updating trainings based on cyber-threat intelligence.

The Observations further encourage SEC registrants to: 1) monitor the SEC’s Cybersecurity Spotlight page; 2) sign up for alerts from the Cyber Infrastructure Security Agency; 3) participate in information-sharing groups such as the Financial Services Information Sharing and Analysis Center; and 4) consult the National Institute of Standards and Technology Cybersecurity Framework.

The Observations are available here.

©2021 Katten Muchin Rosenman LLPNational Law Review, Volume X, Number 31
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

David Y. Dickstein, Financial Services Lawyer, Katten muchin law firm
Partner

David Dickstein represents broker-dealers, investment advisers, investment companies and hedge funds in connection with a variety of regulatory, compliance and operational matters. David regularly counsels investment advisers on registration and regulatory matters, such as the need for registration, conflict of interest disclosures, soft dollars and best execution, firm advertising and marketing, federal and state pay-to-play matters, trade allocations and personal trading. He also advises broker-dealers on registration and ongoing compliance matters, mutual fund supermarkets...

212-940-8506
Elise Michael, Katten Law Firm, New York, Finance Law Attorney
Associate

Elise Michael represents clients in the financial services industry. Prior to joining Katten, Elise was at J.P. Morgan Chase, where she supported the Private Bank’s advisory and alternatives businesses.

While in law school, Elise was a corporate scholar in the Samuel & Ronnie Heyman Center on Corporate Governance and the managing editor of the Cardozo Arts & Entertainment Law Journal. She also served as an intern with the US Commodity Futures Trading Commission (CFTC).

212-940-6610
Advertisement
Advertisement
Advertisement