Scarinci Hollenbeck, LLC, LLCScarinci Hollenbeck, LLC, LLC

Firm Insights

Would Your Cybersecurity Practices Pass an SEC Exam?

Author: Scarinci Hollenbeck, LLC

Date: February 14, 2020

Key Contacts

Back

Are your cybersecurity practices up to snuff? The SEC has made cybersecurity one of its top examination priorities…

The Securities and Exchange Commission (SEC) has made cybersecurity one of its top examination priorities for securities and financial organizations and participants.  The SEC’s Office of Compliance Inspections and Examinations’ (OCIE) cybersecurity initiative was designed to assess a company’s cybersecurity preparedness in the wake of an uptick in cyber attacks.  In a recent report, OCIE outlined several cybersecurity and operational resiliency practices that firms have adopted to safeguard against cyber threats. While the SEC does not necessarily describe them as “best” practices, the approaches can be useful in evaluating how your own firm’s cyber practices stack up.

Would Your Cybersecurity Practices Pass an SEC Exam?

SEC Focus on Cybersecurity

The SEC has increased its focus on cybersecurity issues in recent years:

  1. The SEC’s Division of Enforcement established the Cyber Unit in September 2017 which focuses on violations involving digital assets, initial coin offerings and cryptocurrencies; cybersecurity controls at regulated entities; issuer disclosures of cybersecurity incidents and risks; trading on the basis of hacked nonpublic information; and cyber-related manipulations, such as brokerage account takeovers and market manipulations using electronic and social media platforms
  2. The SEC has also included cybersecurity as a key element in its corporate examination program over the past eight years.
  3. OCIE has published eight risk alerts related to cybersecurity.
  4. Finally, the SEC assumed legal authority to bring cyber-related enforcement actions against “bad actors” in order to protect investors and deter future wrongdoing.

To aid in compliance, the SEC recently issued examination observations related to cybersecurity and operational resiliency practices, which are based on thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants.  According to OCIE, these observations will afford organizations the opportunity to reflect on their own cybersecurity practices. “Recognizing that there is no such thing as a ‘one-size fits all’ approach and that all of these practices may not be appropriate for all organizations, we are providing these observations to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency,” the SEC stated.

SEC’s Observations on Cybersecurity Practices

The SEC’s observations are focused in seven key areas: governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. Below are several key takeaways:

(1) Governance and risk management: The SEC highlights the importance of establishing effective cybersecurity programs as part of corporate governance and risk management measures.  These programs generally include, among other things: (i) a risk assessment to identify, analyze, and prioritize cybersecurity risks to the organization; (ii) written cybersecurity policies and procedures to address risks; and (iii) the implementation and enforcement of those policies and procedures.

(2) Access Rights and Controls: The SEC explains that access controls generally include: (i) understanding the location of data, including client information, throughout an organization; (ii) restricting access to systems and data to authorized users; and (iii) establishing appropriate controls to prevent and monitor for unauthorized access. It specifically highlights the importance of limiting access to sensitive systems and data based upon the user’s needs to perform legitimate and authorized activities, requiring periodic account reviews, and revoking system access immediately for individuals no longer employed by the organization.

(3) Data Loss Prevention: Possessing the proper tools and processes to ensure that sensitive data, including client information, is not lost, misused, or accessed by unauthorized users is the premier consideration. Examples of effective practices include:

  • Establishing a patch management program covering all software (i.e., in-house developed, custom off-the-shelf, and other third party software) and hardware, including anti-virus and anti-malware installation;
  • Establishing a vulnerability management program that includes routine scans of software code, web applications, servers and databases, workstations, and endpoints both within the organization and applicable third party providers; and
  • Implementing capabilities that are able to control, monitor, and inspect all incoming and outgoing network traffic to prevent unauthorized or harmful traffic.

(4) Mobile Security: Companies should not only establish policies and procedures for the use of mobile devices, but also train employees regarding the importance of abiding by the established policies and procedures. To effectively manage the use of mobile devices, the SEC notes that many firms require the use of a mobile device management (MDM) application or similar technology. Companies also take affirmative steps to prevent printing, copying, pasting, or saving information to personally owned computers, smartphones or tablets and ensure the ability to remotely clear data and content from a device that belongs to a former employee or from a lost device.

(5) Incident Response and Resiliency: An important component of an incident response plan includes business continuity and resiliency.  Strategies underscored by the SEC include identifying and prioritizing core business services and developing a strategy for operational resiliency with defined risk tolerances tailored to the organization.

Organizations with effective incident response plans tend to include the following elements:

  • Developing a plan;
  • Determining and complying with applicable federal and state reporting requirements for cyber incidents or events;
  • Designating employees with specific roles and responsibilities in the event of a cyber incident; and
  • Testing the plan.

(6) Vendor Management: The Vendor management practices should generally include policies and procedures related to: (i) conducting due diligence for vendor selection; (ii) monitoring and overseeing vendors, and contract terms; (iii) assessing how vendor relationships are considered as part of the organization’s ongoing risk assessment process, as well as how the organization determines the appropriate level of due diligence to conduct on a vendor; and (iv) assessing how vendors protect any accessible client information.

(7) Training and Awareness: Organizations are encouraged to provide employees with training programs that illustrate the nature of cyber risks and responsibilities and heightens awareness of cyber threats. Training staff on your organization’s cybersecurity policies and procedures, it is helpful to include examples and exercises which will help employees identify phishing emails. A continuous re-evaluation and update to your firm’s training programs based on cyber-threat intelligence is pertinent.

Key Takeaway

While smaller organizations may not have the resources to implement all of the practices highlighted above, the SEC’s observations are very useful, particularly for registered broker-dealers and investment advisers that want to evaluate their cybersecurity practices, policies, and procedures before examiners come knocking.

If you have questions, please contact us

If you have any questions or if you would like to discuss the matter further, please contact me, Maryam Meseha, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.

No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.

Scarinci Hollenbeck, LLC, LLC

Related Posts

See all
Crypto Enforcement: A Former Prosecutor’s Warning to Criminals and the Public post image

Crypto Enforcement: A Former Prosecutor’s Warning to Criminals and the Public

Cryptocurrency intimidates most people. The reason is straightforward. People fear what they do not understand. When confusion sets in, the common reaction is either to ignore the subject entirely or to mistrust it. For years, that is exactly how most of the public and even many in law enforcement treated cryptocurrency. However, such apprehension changed […]

Author: Bryce S. Robins

Link to post with title - "Crypto Enforcement: A Former Prosecutor’s Warning to Criminals and the Public"
Understanding Chattel Paper: A Key Component in Secured Transactions post image

Understanding Chattel Paper: A Key Component in Secured Transactions

Using chattel paper to obtain a security interest in personal property is a powerful tool. It can ensure lenders have a legal claim on collateral ranging from inventory to intellectual property. To reduce risk and protect your legal rights, businesses and lenders should understand the legal framework. This framework governs the creation, sale, and enforcement […]

Author: Dan Brecher

Link to post with title - "Understanding Chattel Paper: A Key Component in Secured Transactions"
Crypto Compliance: A Comprehensive Guide post image

Crypto Compliance: A Comprehensive Guide

For years, digital assets operated in a legal gray area, a frontier where innovation outpaced the reach of regulators and law enforcement. In this early “Wild West” phase of finance, crypto startups thrived under minimal oversight. That era, however, is coming to an end. The importance of crypto compliance has become paramount as cryptocurrency has […]

Author: Bryce S. Robins

Link to post with title - "Crypto Compliance: A Comprehensive Guide"
Supreme Court and Title VII: Implications for Reverse Discrimination post image

Supreme Court and Title VII: Implications for Reverse Discrimination

Earlier this month, the U.S. Supreme Court issued a decision in Ames v. Ohio Department of Youth Services vitiating the so-called “background circumstances” test required by half of federal circuit courts.1 The background circumstances test required majority group plaintiffs pleading discrimination under Title VII of the Civil Rights Act to meet a heightened pleading standard […]

Author: Matthew F. Mimnaugh

Link to post with title - "Supreme Court and Title VII: Implications for Reverse Discrimination"
SPACs Are Back, What You Need to Know post image

SPACs Are Back, What You Need to Know

Special purpose acquisition companies (better known as SPACs) appear to be making a comeback. SPAC offerings for 2025 have already nearly surpassed last year’s totals, with additional transactions in the pipeline. SPACs last experienced a boom between 2020–2021, with approximately 600 U.S. companies raising a record $163 billion in 2021. Notable companies that went public […]

Author: Dan Brecher

Link to post with title - "SPACs Are Back, What You Need to Know"
Short Form Merger: Streamlining the Process for Businesses post image

Short Form Merger: Streamlining the Process for Businesses

Merging two companies is a complex legal and business transaction. A short form merger, in which an acquiring company merges with a subsidiary corporation, offers a more streamlined process that involves important corporate governance considerations. A short form merger, in which an acquiring company merges with a subsidiary corporation, offers a more streamlined process. However, […]

Author: Dan Brecher

Link to post with title - "Short Form Merger: Streamlining the Process for Businesses"

No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.

Sign up to get the latest from our attorneys!

Explore What Matters Most to You.

Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.

Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.

Let`s get in touch!

* The use of the Internet or this form for communication with the firm or any individual member of the firm does not establish an attorney-client relationship. Confidential or time-sensitive information should not be sent through this form.

Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!