SEC Issues Statement on Cybersecurity and Operational Resiliency
On January 27, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a statement designed “to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency.” Companies regulated by the SEC, or organizations that work with companies the SEC regulates, should review OCIE’s observations of best practices and consider whether they are meeting OCIE’s expectations.
OCIE’s observations fall into several categories.
Governance and Risk Management. As OCIE notes, “[e]ffective cybersecurity programs start with the right tone at the top . . . .” OCIE also notes that effective programs include, among other things, (i) a risk assessment of cybersecurity threats; (ii) written cybersecurity policies and procedures to address said risks; and (iii) implementation and enforcement of those policies, including testing and monitoring and continuous evaluation of those policies.
Access Rights and Controls. Access rights and controls determine appropriate users for organization systems based on job responsibilities, with a goal of limiting access to information to authorized users. OCIE states that access controls generally include (i) understanding the location of data, including client information; (ii) restricting access to systems and data to authorized users; and (iii) establishing appropriate controls to prevent and monitor unauthorized access. These principles, which are familiar concepts to government contractors, mirror the requirements of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which DFARS 252.204-7008 and 252.204-7012 require for safeguarding certain information.
Data Loss Prevention. OCIE notes that organizations deploy various data loss prevention measures, including (i) vulnerability scanning, including routine scans of software code, web applications, servers and databases, workstation and endpoints; (ii) perimeter security that controls, monitors, and inspects all incoming and outgoing network traffic; (iii) detective security, i.e., products that can detect threats on endpoints, including the identification of fraudulent communications; (iv) inventory hardware and software, including the identification of critical assets and information; and (v) insider threat monitoring to identify suspicious behaviors, “including escalating issues to senior leadership as appropriate.” OCIE’s observation regarding the inclusion of senior leadership in cybersecurity protocols follows SEC’s February 2018 cybersecurity guidance, wherein the SEC specifically focused on board risk oversight.
Mobile Security. OCIE also focused on mobile devices and applications that can create vulnerabilities. OCIE observed companies employing mobile device policies and procedures, as well as managing the use of mobile devises, and implementing security measures. OCIE also noted that companies train their employees on their policies and practices. These steps are widely considered best practices for any company or organization.
Incident Response and Resiliency. Incident response includes the timely detecting of data breach incidents and the assessment and implementation of an appropriate response. The OCIE observes that incident response plans include several key elements, including (i) addressing applicable reporting requirements; (ii) assigning staff to execute specific areas of the plan; and (iii) testing and assessing the plan, i.e., “tabletop exercises.”
Vendor Management. OCIE also observed companies implementing vendor management protocols relating to data security. These protocols included (i) due diligence in selecting vendors; (ii) monitoring and overseeing vendors, through the including of appropriate contract terms and otherwise; (iii) assessing how vendor relationships fall within a company’s ongoing risk assessment process; and (iv) assessing how vendors protect any accessible client information. The OCIE is correct to call attention to vendor management, as vendor data security issues can often lead to litigation.
Training and Awareness. The OCIE calls training and awareness “key components of cybersecurity programs.” OCIE observed that companies (i) use policies and procedures as a training guide; (ii) include examples and exercise in trainings; and (iii) monitor their systems to ensure employees attend training and to assess the training’s effectiveness.
A copy of OCIE’s statement can be obtained here.