February 18, 2020

February 17, 2020

Subscribe to Latest Legal News and Analysis

The SEC’s Most Detailed Cybersecurity Guidance to Date

The SEC, through its Office of Compliance Inspections and Examinations (“OCIE”), recently issued its most detailed cyber guidance to date. OCIE had previously issued several cybersecurity risk alerts over the past few years. This most recent release, however, offers much more than a risk alert. OCIE’s “Cybersecurity and Resiliency Observations” goes into significantly more detail than OCIE’s prior risk alerts in this area and is fashioned in a vastly different and more user-friendly format. Thus, it is required reading for SEC regulated entities because, rest assured, it will be closely followed and applied by OCIE staff conducting cyber examinations, as well as by the Division of Enforcement’s “Cyber Unit.”

Consistent with Chairman Jay Clayton’s prioritization of cybersecurity issues across the SEC’s divisions and offices, OCIE’s Cybersecurity and Resiliency Observations (“OCIE Cyber Observations”) detail the SEC’s and OCIE’s focus on cybersecurity issues. Specifically, the OCIE Cyber Observations highlight that:

  • In an environment in which cyber threat actors are becoming more aggressive and sophisticated—and in some cases are backed by substantial resources including from nation state actors—firms participating in the securities markets, market infrastructure providers and vendors should all appropriately monitor, assess and manage their cybersecurity risk profiles, including their operational resiliency.

  • The SEC has and will continue to focus on cybersecurity issues, with particular attention to market systems, customer data protection, disclosure of material cybersecurity risks and incidents, and compliance with legal and regulatory obligations under the federal securities laws.

The OCIE Cyber Observations cover the following topics: Governance and Risk Management; Access Rights and Controls; Data Loss Prevention; Mobile Security; Incident Response and Resiliency; Vendor Management; and Training and Awareness.

The OCIE Cyber Observations also recommend that registrants, issuers, other regulated entities, and investment professionals sign up for alerts published by the Cyber Infrastructure Security Agency. Further, the OCIE Cyber Observations encourage organizations to participate in information sharing groups through industry associations such as the Financial Services Information Sharing and Analysis Center. The OCIE Cyber Observations also provide insight and commentary on another key resource developed through the collaboration between government and industry: the National Institute of Standards and Technology Cybersecurity Framework.

The OCIE Cyber Observations conclude by stating that the SEC “encourage[s] market participants to review their practices, policies and procedures with respect to cybersecurity and resiliency.” As we have advised here previously, we recommend to our readers that they view SEC publications such as the OCIE Cyber Observations as guidance that should be followed and applied by regulated entities, as opposed to mere suggestion. The OCIE and Enforcement staff will be holding firms to this guidance. Thus, firms should proactively analyze the OCIE Cyber Observations, apply them to their businesses, and develop and implement remediation plans if necessary.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.


About this Author

James G. Lundy, Drinker Biddle, regulatory investigations lawyer, financial services compliance attorney

James G. Lundy represents clients in Securities and Exchange Commission (SEC), Commodities Futures Trading Commission (CFTC), self-regulatory organization, and other financial regulatory agency investigations and examinations, and compliance and governance counseling, white collar criminal investigations, and complex business litigation.

With 12 years of senior SEC experience and more than two years of in-house experience at a futures and securities brokerage firm, Jim has developed an in-depth working knowledge of the various...

Peter Baldwin, Securities lawyer, Drinker Biddle

Peter W. Baldwin, a former federal prosecutor, defends clients facing white-collar criminal and internal investigations, securities enforcement actions, cybersecurity issues, and other complex civil and criminal litigation matters. Prior to joining Drinker Biddle, Pete spent over eight years as an Assistant United States Attorney in the U.S. Attorney’s Offices for the Eastern District of New York and Central District of California. In this role, he supervised all aspects of criminal investigation and prosecution, first as a member of the Major Frauds Section in the Central District of California and then in the National Security and Cybercrime Section in the Eastern District of New York. Prior to his work as an Assistant U.S. Attorney, Pete practiced commercial litigation at a major international law firm in Los Angeles, handling matters including securities fraud, derivative actions and business disputes.

As a federal prosecutor, Pete worked extensively with numerous federal law enforcement and regulatory agencies to oversee grand jury investigations, criminal charging decisions, plea negotiations, motions practice, evidentiary hearings, trials, sentencing proceedings, and appeals. Pete has served as lead trial counsel in multiple criminal jury trials.

(212) 248-3147