Ensuring an Effective Cybersecurity Program: Best Practices from the SEC and OCIE

The Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) recently released a report summarizing best practices for securities market participants, including public companies, to monitor, assess, and manage their cybersecurity risk.  The report, entitled “Cybersecurity and Resiliency Observations” (“OCIE Report”),¹ is based on industry practices and approaches OCIE observed over the course of thousands of examinations.

OCIE’s observations are significant not only because they provide guidance for public companies and other businesses combatting increasingly aggressive and sophisticated cyber threats, but also because they come straight from the inspection arm within the SEC responsible for conducting the SEC’s National Exam Program, which the SEC uses to “inform rulemaking initiatives, identify and monitor risks, improve industry practices and pursue misconduct.”² Each year, OCIE conducts examinations of SEC-registered persons and entities, such as investment advisers, investment companies, broker-dealers, self-regulatory organizations, clearing agencies, transfer agents, national securities exchanges, and others for compliance with SEC regulatory requirements.

OCIE’s observations are categorized into seven core areas designed to enhance cybersecurity practices and promote operational resiliency: (1) governance and risk management, (2) access rights and controls, (3) data loss prevention, (4) mobile security, (5) incident response and resiliency, (6) vendor management, and (7) training and awareness.  This report is just the latest indicator that OCIE remains focused on cybersecurity, the protection of customer information, and SEC registrants that fail to implement adequate policies, procedures, and controls.

I.    Previous OCIE Guidance and Examination Priorities

OCIE has a history of prioritizing cybersecurity issues and has identified it as a critical element in its examination program. Within the past two years, OCIE has published three Risk Alerts related specifically to cybersecurity.  Most recently, in May 2019, OCIE released a Risk Alert highlighting security risks associated with SEC registrants’ storage of electronic customer records in various network storage solutions and failure to use available cybersecurity measures.³ OCIE specifically identified risks regarding network misconfigurations, inadequate vendor oversight, and insufficient data classification policies and procedures.  To mitigate such risks, OCIE recommended “implementation of a configuration management program that includes policies, procedures and baseline security standards governing data classification, vendor oversight and security features.”

Similarly, in Risk Alerts from December 2018⁴ and April 2019,⁵ OCIE raised a list of common SEC-registrant regulatory noncompliance issues, including a lack of privacy and opt-out notices and a failure to implement adequate policies and procedures for administrative, technical and physical safeguards.  In response to these common compliance issues, OCIE has strongly advised that SEC registrants review their risks, practices, policies, and procedures—including implementation of those policies and procedures—to ensure that they are in compliance with applicable regulations.

OCIE’s Risk Alerts evidence the SEC’s focus on cybersecurity risk management and development of best practices.  They are also consistent with OCIE’s 2020 Examination Priorities, which focus on the very areas addressed in the OCIE Report, including governance and risk management, access controls, data loss prevention, vendor management (especially network solutions), training and incident response, and resiliency.  OCIE’s past posture with regard to cybersecurity suggests that its examiners may choose to structure their cybersecurity examination inquiries around the topics listed in the OCIE Report. 

II.    Consistency with SEC Disclosure Guidance

Many of the general areas OCIE highlighted in its OCIE Report and Risk Alerts have been addressed by the SEC historically, including the protection of customer data, disclosure of material cybersecurity risks and incidents, and compliance with securities regulations.  In the guidance the SEC issued in 2018 relating to cybersecurity disclosure requirements, the SEC emphasized the importance of disclosure controls and procedures enabling public companies to make accurate and timely disclosures about material cybersecurity events, as well as policies protecting against insider trading in advance of disclosures of material cyber incidents.  Similar to the OCIE Report, the SEC guidance recognizes and encourages the creation of a senior leadership team committed to understanding and mitigating cybersecurity risks, the development of a comprehensive set of policies and procedures governing the security of IT systems and sensitive data, and regular security and compliance assessments to test the sufficiency of systems and procedures.

III.    “Best Practices” for SEC Registrants

The OCIE Report suggests that companies’ cybersecurity efforts should focus on the following:

Governance and Risk Management
Companies will need to ensure that there is involvement, oversight and buy-in for implementing the necessary cybersecurity measures at the Board and C-Suite level, in addition to ensuring there is effective internal and external communication to enable the provision of timely information to individuals or entities, as appropriate.  Specific elements of an effective governance and risk management program include:  (i) risk assessments to identify, analyze, and prioritize cybersecurity risks to the organization; (ii) written cybersecurity policies and procedures to address those risks; and (iii) effective implementation and enforcement of those policies and procedures.

Access Rights and Controls
Limiting who can access data and the types of data that can be accessed is essential to reducing unauthorized disclosures and ensures that only users with a clear business or operational need are handling client information, systems, and data.  Effective access controls should include:  (i) understanding the location of data, including client information, throughout an organization; (ii) restricting access to systems and data to authorized users; and (iii) establishing appropriate controls to prevent and monitor for unauthorized access.

Data Loss Prevention
Mechanisms for monitoring networks and detecting anomalies that could impact data and systems should be implemented to ensure that sensitive data, and business information, is not accessed or acquired by unauthorized users.  Companies should consider:  (i) implementing vulnerability scanning; (ii) implementing perimeter security; (iii) implementing endpoint detection; (iv) establishing a patch management program; (v) maintaining an inventory of hardware and software assets; (vi) implementing encryption and network segmentation; (vii) monitoring for insider threats; and (viii) securing legacy systems and equipment.

Mobile Security
Mobile devices are just as susceptible to security breaches as information technology systems, and they present unique vulnerabilities that warrant the implementation of appropriate security measures and practices to ensure adequate protection. Companies should consider taking the following actions:  (i) establishing policies and procedures for the use of mobile devices; (ii) using a mobile device management application or similar technology for an organization’s business, including email communication, calendar, data storage, and other activities; (iii) requiring the use of multi-factor authentication for all internal and external users; and (iv) training employees on relevant policies.

Incident Response and Resiliency
An organization’s ability to detect, respond, contain, and remediate a security incident impacting its critical data and systems, in a timely manner, is essential to limiting potential data loss, ensuring business continuity, and facilitating the appropriate disclosure of material information.  Companies should ensure they are able to timely detect security incidents and make appropriate disclosure of material information regarding incidents, as well as accurately assess the appropriateness of corrective actions taken in response to incidents.  Companies that take proactive steps to evaluate their incident response program and conduct exercises to prepare for identifying, investigating, and responding to security incidents will be in the best position to minimize the legal, regulatory, business, and reputational impacts of a security incident.

Vendor Management
The use of third parties to handle key business and operational functions, including providing IT infrastructure and processing sensitive or business data, requires companies to critically evaluate the information security practices and procedure of those third parties to ensure that adequate cybersecurity processes are in place.  Best practices for companies evaluating vendors include:  (i) conducting due diligence for vendor selection; (ii) monitoring and overseeing vendors and contract terms; (iii) assessing how vendor relationships are considered as part of the company’s ongoing risk assessment process, as well as how the organization determines the appropriate level of due diligence to conduct on a vendor; and (iv) assessing how vendors protect any accessible client information.

Training and Awareness
Companies must protect their data and information technology systems from outside threats, as well as inside threats.  Training employees and promoting awareness of cybersecurity threats and vulnerabilities helps protect the company from exposure presented by employees.  In conducting such trainings, companies should consider using policies and procedures as a training guide, including examples and exercises, and implementing practices to monitor the effectiveness of trainings.

Disclosures
Companies are obligated to provide accurate and timely disclosures regarding material cybersecurity risks and incidents.  Companies should review their disclosure to ensure it accurately reflects the company’s cybersecurity risk profile and the potential impact and costs of cybersecurity efforts, initiatives, and related risks.  Companies should also ensure they have implemented adequate policies and procedures to allow for the timely reporting of material cyber incidents, to guard against insider trading, and to timely correct prior disclosures about a cybersecurity event that the company later determines was not accurate.  Companies should also implement board oversight of cyber risk management and have a crisis management team in place ready to respond to any threats or incidents.

IV.    Conclusion

OCIE acknowledged in its Report that there is no “one-size fits all” approach to cybersecurity and that the best practices provided are meant more as guidelines.  Nonetheless, given OCIE’s historical examination posture and the SEC’s overall focus on cybersecurity, SEC registrants would be well served to review existing cybersecurity practices against the observations from the OCIE report.  As a matter of good corporate governance, officers and directors should pay particular attention to any gaps against the SEC’s description of best practices.  After all, and as the OCIE observed, “[e]ffective cybersecurity programs start with the right tone on top.”
 

1 The OCIE Report, released January 27, 2020, is available online at https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf.
2 U.S. Securities & Exchange Commission, About the Office of Compliance Inspections and Examinations (last visited Mar. 27, 2020), https://www.sec.gov/ocie/Article/ocie-about.html.
3 Office of Compliance Inspections and Examinations, Risk Alert: Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features (May 23, 2019),https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Network%20Storage.pdf.
4 Office of Compliance Inspections and Examinations, Risk Alert: Observations from Investment Adviser Examinations Relating to Electronic Messaging (Dec. 14, 2018), https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Electronic%20Messaging.pdf.
5 Office of Compliance Inspections and Examinations, Risk Alert: Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P—Privacy Notices and Safeguard Policies (Apr. 16, 2019), https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf.
 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.

© 2020 White & Case LLP