The SEC, through its Office of Compliance Inspections and Examinations (“OCIE”), recently issued its most detailed cyber guidance to date. OCIE had previously issued several cybersecurity risk alerts over the past few years. This most recent release, however, offers much more than a risk alert. OCIE’s “Cybersecurity and Resiliency Observations” goes into significantly more detail than OCIE’s prior risk alerts in this area and is fashioned in a vastly different and more user-friendly format. Thus, it is required reading for SEC regulated entities because, rest assured, it will be closely followed and applied by OCIE staff conducting cyber examinations, as well as by the Division of Enforcement’s “Cyber Unit.”
Consistent with Chairman Jay Clayton’s prioritization of cybersecurity issues across the SEC’s divisions and offices, OCIE’s Cybersecurity and Resiliency Observations (“OCIE Cyber Observations”) detail the SEC’s and OCIE’s focus on cybersecurity issues. Specifically, the OCIE Cyber Observations highlight that:
- In an environment in which cyber threat actors are becoming more aggressive and sophisticated—and in some cases are backed by substantial resources including from nation state actors—firms participating in the securities markets, market infrastructure providers and vendors should all appropriately monitor, assess and manage their cybersecurity risk profiles, including their operational resiliency.
- The SEC has and will continue to focus on cybersecurity issues, with particular attention to market systems, customer data protection, disclosure of material cybersecurity risks and incidents, and compliance with legal and regulatory obligations under the federal securities laws.
The OCIE Cyber Observations cover the following topics: Governance and Risk Management; Access Rights and Controls; Data Loss Prevention; Mobile Security; Incident Response and Resiliency; Vendor Management; and Training and Awareness.
The OCIE Cyber Observations also recommend that registrants, issuers, other regulated entities, and investment professionals sign up for alerts published by the Cyber Infrastructure Security Agency. Further, the OCIE Cyber Observations encourage organizations to participate in information sharing groups through industry associations such as the Financial Services Information Sharing and Analysis Center. The OCIE Cyber Observations also provide insight and commentary on another key resource developed through the collaboration between government and industry: the National Institute of Standards and Technology Cybersecurity Framework.
The OCIE Cyber Observations conclude by stating that the SEC “encourage[s] market participants to review their practices, policies and procedures with respect to cybersecurity and resiliency.” As we have advised here previously, we recommend to our readers that they view SEC publications such as the OCIE Cyber Observations as guidance that should be followed and applied by regulated entities, as opposed to mere suggestion. The OCIE and Enforcement staff will be holding firms to this guidance. Thus, firms should proactively analyze the OCIE Cyber Observations, apply them to their businesses, and develop and implement remediation plans if necessary.