Skip to content

Enforcement Highlights

  • About Us
  • Contact
  • Cookie Policy
Enforcement
Highlights

Covering SEC, CFTC, FINRA, PCAOB, States, Exchanges, & FCA Enforcement Activities

The SEC’s Most Detailed Cybersecurity Guidance to Date

The SEC, through its Office of Compliance Inspections and Examinations (“OCIE”), recently issued its most detailed cyber guidance to date. OCIE had previously issued several cybersecurity risk alerts over the past few years. This most recent release, however, offers much more than a risk alert. OCIE’s “Cybersecurity and Resiliency Observations” goes into significantly more detail than OCIE’s prior risk alerts in this area and is fashioned in a vastly different and more user-friendly format. Thus, it is required reading for SEC regulated entities because, rest assured, it will be closely followed and applied by OCIE staff conducting cyber examinations, as well as by the Division of Enforcement’s “Cyber Unit.”

Consistent with Chairman Jay Clayton’s prioritization of cybersecurity issues across the SEC’s divisions and offices, OCIE’s Cybersecurity and Resiliency Observations (“OCIE Cyber Observations”) detail the SEC’s and OCIE’s focus on cybersecurity issues. Specifically, the OCIE Cyber Observations highlight that:

  • In an environment in which cyber threat actors are becoming more aggressive and sophisticated—and in some cases are backed by substantial resources including from nation state actors—firms participating in the securities markets, market infrastructure providers and vendors should all appropriately monitor, assess and manage their cybersecurity risk profiles, including their operational resiliency.
  • The SEC has and will continue to focus on cybersecurity issues, with particular attention to market systems, customer data protection, disclosure of material cybersecurity risks and incidents, and compliance with legal and regulatory obligations under the federal securities laws.

The OCIE Cyber Observations cover the following topics: Governance and Risk Management; Access Rights and Controls; Data Loss Prevention; Mobile Security; Incident Response and Resiliency; Vendor Management; and Training and Awareness.

The OCIE Cyber Observations also recommend that registrants, issuers, other regulated entities, and investment professionals sign up for alerts published by the Cyber Infrastructure Security Agency. Further, the OCIE Cyber Observations encourage organizations to participate in information sharing groups through industry associations such as the Financial Services Information Sharing and Analysis Center. The OCIE Cyber Observations also provide insight and commentary on another key resource developed through the collaboration between government and industry: the National Institute of Standards and Technology Cybersecurity Framework.

The OCIE Cyber Observations conclude by stating that the SEC “encourage[s] market participants to review their practices, policies and procedures with respect to cybersecurity and resiliency.” As we have advised here previously, we recommend to our readers that they view SEC publications such as the OCIE Cyber Observations as guidance that should be followed and applied by regulated entities, as opposed to mere suggestion. The OCIE and Enforcement staff will be holding firms to this guidance. Thus, firms should proactively analyze the OCIE Cyber Observations, apply them to their businesses, and develop and implement remediation plans if necessary.

Subscribe and Receive Alerts to New Articles

SUBSCRIBE
February 10, 2020
Written by: Peter Baldwin
Category: Compliance and Supervision, Hedge Funds and Private Equity, Insider and Manipulative Trading, Investment Advisers and Broker Dealers, Public Companies, Accounting, and Auditing
Tags: Office of Compliance Inspections and Examinations (OCIE)

Post navigation

Previous Previous post: The SEC Lays Down a Bet in a Nevada Court
Next Next post: SEC Gives Management’s Discussion and Analysis (MD&A) a Makeover

Subscribe to Email Alerts

Categories

  • Compliance and Supervision
  • Futures and Derivatives
  • Hedge Funds and Private Equity
  • Insider and Manipulative Trading
  • Investment Advisers and Broker Dealers
  • Municipal Bond Offerings
  • Public Companies, Accounting, and Auditing

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Contact
  • Cookie Policy
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT