Are your cybersecurity practices up to snuff? The SEC has made cybersecurity one of its top examination priorities…
The Securities and Exchange Commission (SEC) has made cybersecurity one of its top examination priorities for securities and financial organizations and participants. The SEC’s Office of Compliance Inspections and Examinations’ (OCIE) cybersecurity initiative was designed to assess a company’s cybersecurity preparedness in the wake of an uptick in cyber attacks. In a recent report, OCIE outlined several cybersecurity and operational resiliency practices that firms have adopted to safeguard against cyber threats. While the SEC does not necessarily describe them as “best” practices, the approaches can be useful in evaluating how your own firm’s cyber practices stack up.
SEC Focus on Cybersecurity
The SEC has increased its focus on cybersecurity issues in recent years:
The SEC’s Division of Enforcement established the Cyber Unit in September 2017 which focuses on violations involving digital assets, initial coin offerings and cryptocurrencies; cybersecurity controls at regulated entities; issuer disclosures of cybersecurity incidents and risks; trading on the basis of hacked nonpublic information; and cyber-related manipulations, such as brokerage account takeovers and market manipulations using electronic and social media platforms
The SEC has also included cybersecurity as a key element in its corporate examination program over the past eight years.
OCIE has published eight risk alerts related to cybersecurity.
Finally, the SEC assumed legal authority to bring cyber-related enforcement actions against “bad actors” in order to protect investors and deter future wrongdoing.
To aid in compliance, the SEC recently issued examination observations related to cybersecurity and operational resiliency practices, which are based on thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants. According to OCIE, these observations will afford organizations the opportunity to reflect on their own cybersecurity practices. “Recognizing that there is no such thing as a ‘one-size fits all’ approach and that all of these practices may not be appropriate for all organizations, we are providing these observations to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency,” the SEC stated.
SEC’s Observations on Cybersecurity Practices
The SEC’s observations are focused in seven key areas: governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. Below are several key takeaways:
(1)Governance and risk management: The SEC highlights the importance of establishing effective cybersecurity programs as part of corporate governance and risk management measures. These programs generally include, among other things: (i) a risk assessment to identify, analyze, and prioritize cybersecurity risks to the organization; (ii) written cybersecurity policies and procedures to address risks; and (iii) the implementation and enforcement of those policies and procedures.
(2) Access Rights and Controls: The SEC explains that access controls generally include: (i) understanding the location of data, including client information, throughout an organization; (ii) restricting access to systems and data to authorized users; and (iii) establishing appropriate controls to prevent and monitor for unauthorized access. It specifically highlights the importance of limiting access to sensitive systems and data based upon the user’s needs to perform legitimate and authorized activities, requiring periodic account reviews, and revoking system access immediately for individuals no longer employed by the organization.
(3)Data Loss Prevention: Possessing the proper tools and processes to ensure that sensitive data, including client information, is not lost, misused, or accessed by unauthorized users is the premier consideration. Examples of effective practices include:
Establishing a patch management program covering all software (i.e., in-house developed, custom off-the-shelf, and other third party software) and hardware, including anti-virus and anti-malware installation;
Establishing a vulnerability management program that includes routine scans of software code, web applications, servers and databases, workstations, and endpoints both within the organization and applicable third party providers; and
Implementing capabilities that are able to control, monitor, and inspect all incoming and outgoing network traffic to prevent unauthorized or harmful traffic.
(4) Mobile Security: Companies should not only establish policies and procedures for the use of mobile devices, but also train employees regarding the importance of abiding by the established policies and procedures. To effectively manage the use of mobile devices, the SEC notes that many firms require the use of a mobile device management (MDM) application or similar technology. Companies also take affirmative steps to prevent printing, copying, pasting, or saving information to personally owned computers, smartphones or tablets and ensure the ability to remotely clear data and content from a device that belongs to a former employee or from a lost device.
(5)Incident Response and Resiliency: An important component of an incident response plan includes business continuity and resiliency. Strategies underscored by the SEC include identifying and prioritizing core business services and developing a strategy for operational resiliency with defined risk tolerances tailored to the organization.
Organizations with effective incident response plans tend to
include the following elements:
Developing a plan;
Determining and complying with applicable federal and state reporting requirements for cyber incidents or events;
Designating employees with specific roles and responsibilities in the event of a cyber incident; and
Testing the plan.
(6)Vendor Management: The Vendor management practices should generally include policies and procedures related to: (i) conducting due diligence for vendor selection; (ii) monitoring and overseeing vendors, and contract terms; (iii) assessing how vendor relationships are considered as part of the organization’s ongoing risk assessment process, as well as how the organization determines the appropriate level of due diligence to conduct on a vendor; and (iv) assessing how vendors protect any accessible client information.
(7) Training and Awareness: Organizations are encouraged to provide employees with training programs that illustrate the nature of cyber risks and responsibilities and heightens awareness of cyber threats. Training staff on your organization’s cybersecurity policies and procedures, it is helpful to include examples and exercises which will help employees identify phishing emails. A continuous re-evaluation and update to your firm’s training programs based on cyber-threat intelligence is pertinent.
Key Takeaway
While smaller organizations may not have the resources to implement all of the practices highlighted above, the SEC’s observations are very useful, particularly for registered broker-dealers and investment advisers that want to evaluate their cybersecurity practices, policies, and procedures before examiners come knocking.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Maryam Meseha, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.
Does Your Homeowners Insurance Provide Adequate Coverage?
Your home is likely your greatest asset, which is why it is so important to adequately protect it. Homeowners insurance protects you from the financial costs of unforeseen losses, such as theft, fire, and natural disasters, by helping you rebuild and replace possessions that were lost While the definition of “adequate” coverage depends upon a […]
Understanding the Importance of a Non-Contingent Offer
Making a non-contingent offer can dramatically increase your chances of securing a real estate transaction, particularly in competitive markets like New York City. However, buyers should understand that waiving contingencies, including those related to financing, or appraisals, also comes with significant risks. Determining your best strategy requires careful analysis of the property, the market, and […]
Fred D. Zemel Appointed Chair of Strategic Planning at Scarinci & Hollenbeck, LLC
Business Transactional Attorney Zemel to Spearhead Strategic Initiatives for Continued Growth and Innovation Little Falls, NJ – February 21, 2025 – Scarinci & Hollenbeck, LLC is pleased to announce that Partner Fred D. Zemel has been named Chair of the firm’s Strategic Planning Committee. In this role, Mr. Zemel will lead the committee in identifying, […]
Novation Agreement Process: Step-by-Step Guide for Businesses
Big changes sometimes occur during the life cycle of a contract. Cancelling a contract outright can be bad for your reputation and your bottom line. Businesses need to know how to best address a change in circumstances, while also protecting their legal rights. One option is to transfer the “benefits and the burdens” of a […]
What Is a Trade Secret? Key Elements and Legal Protections Explained
What is a trade secret and why you you protect them? Technology has made trade secret theft even easier and more prevalent. In fact, businesses lose billions of dollars every year due to trade secret theft committed by employees, competitors, and even foreign governments. But what is a trade secret? And how do you protect […]
What Is Title Insurance? Safeguarding Against Title Defects
If you are considering the purchase of a property, you may wonder — what is title insurance, do I need it, and why do I need it? Even seasoned property owners may question if the added expense and extra paperwork is really necessary, especially considering that people and entities insured by title insurance make fewer […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Would Your Cybersecurity Practices Pass an SEC Exam?
Author: Scarinci Hollenbeck, LLC
Are your cybersecurity practices up to snuff? The SEC has made cybersecurity one of its top examination priorities…
The Securities and Exchange Commission (SEC) has made cybersecurity one of its top examination priorities for securities and financial organizations and participants. The SEC’s Office of Compliance Inspections and Examinations’ (OCIE) cybersecurity initiative was designed to assess a company’s cybersecurity preparedness in the wake of an uptick in cyber attacks. In a recent report, OCIE outlined several cybersecurity and operational resiliency practices that firms have adopted to safeguard against cyber threats. While the SEC does not necessarily describe them as “best” practices, the approaches can be useful in evaluating how your own firm’s cyber practices stack up.
SEC Focus on Cybersecurity
The SEC has increased its focus on cybersecurity issues in recent years:
The SEC’s Division of Enforcement established the Cyber Unit in September 2017 which focuses on violations involving digital assets, initial coin offerings and cryptocurrencies; cybersecurity controls at regulated entities; issuer disclosures of cybersecurity incidents and risks; trading on the basis of hacked nonpublic information; and cyber-related manipulations, such as brokerage account takeovers and market manipulations using electronic and social media platforms
The SEC has also included cybersecurity as a key element in its corporate examination program over the past eight years.
OCIE has published eight risk alerts related to cybersecurity.
Finally, the SEC assumed legal authority to bring cyber-related enforcement actions against “bad actors” in order to protect investors and deter future wrongdoing.
To aid in compliance, the SEC recently issued examination observations related to cybersecurity and operational resiliency practices, which are based on thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants. According to OCIE, these observations will afford organizations the opportunity to reflect on their own cybersecurity practices. “Recognizing that there is no such thing as a ‘one-size fits all’ approach and that all of these practices may not be appropriate for all organizations, we are providing these observations to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency,” the SEC stated.
SEC’s Observations on Cybersecurity Practices
The SEC’s observations are focused in seven key areas: governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. Below are several key takeaways:
(1)Governance and risk management: The SEC highlights the importance of establishing effective cybersecurity programs as part of corporate governance and risk management measures. These programs generally include, among other things: (i) a risk assessment to identify, analyze, and prioritize cybersecurity risks to the organization; (ii) written cybersecurity policies and procedures to address risks; and (iii) the implementation and enforcement of those policies and procedures.
(2) Access Rights and Controls: The SEC explains that access controls generally include: (i) understanding the location of data, including client information, throughout an organization; (ii) restricting access to systems and data to authorized users; and (iii) establishing appropriate controls to prevent and monitor for unauthorized access. It specifically highlights the importance of limiting access to sensitive systems and data based upon the user’s needs to perform legitimate and authorized activities, requiring periodic account reviews, and revoking system access immediately for individuals no longer employed by the organization.
(3)Data Loss Prevention: Possessing the proper tools and processes to ensure that sensitive data, including client information, is not lost, misused, or accessed by unauthorized users is the premier consideration. Examples of effective practices include:
Establishing a patch management program covering all software (i.e., in-house developed, custom off-the-shelf, and other third party software) and hardware, including anti-virus and anti-malware installation;
Establishing a vulnerability management program that includes routine scans of software code, web applications, servers and databases, workstations, and endpoints both within the organization and applicable third party providers; and
Implementing capabilities that are able to control, monitor, and inspect all incoming and outgoing network traffic to prevent unauthorized or harmful traffic.
(4) Mobile Security: Companies should not only establish policies and procedures for the use of mobile devices, but also train employees regarding the importance of abiding by the established policies and procedures. To effectively manage the use of mobile devices, the SEC notes that many firms require the use of a mobile device management (MDM) application or similar technology. Companies also take affirmative steps to prevent printing, copying, pasting, or saving information to personally owned computers, smartphones or tablets and ensure the ability to remotely clear data and content from a device that belongs to a former employee or from a lost device.
(5)Incident Response and Resiliency: An important component of an incident response plan includes business continuity and resiliency. Strategies underscored by the SEC include identifying and prioritizing core business services and developing a strategy for operational resiliency with defined risk tolerances tailored to the organization.
Organizations with effective incident response plans tend to
include the following elements:
Developing a plan;
Determining and complying with applicable federal and state reporting requirements for cyber incidents or events;
Designating employees with specific roles and responsibilities in the event of a cyber incident; and
Testing the plan.
(6)Vendor Management: The Vendor management practices should generally include policies and procedures related to: (i) conducting due diligence for vendor selection; (ii) monitoring and overseeing vendors, and contract terms; (iii) assessing how vendor relationships are considered as part of the organization’s ongoing risk assessment process, as well as how the organization determines the appropriate level of due diligence to conduct on a vendor; and (iv) assessing how vendors protect any accessible client information.
(7) Training and Awareness: Organizations are encouraged to provide employees with training programs that illustrate the nature of cyber risks and responsibilities and heightens awareness of cyber threats. Training staff on your organization’s cybersecurity policies and procedures, it is helpful to include examples and exercises which will help employees identify phishing emails. A continuous re-evaluation and update to your firm’s training programs based on cyber-threat intelligence is pertinent.
Key Takeaway
While smaller organizations may not have the resources to implement all of the practices highlighted above, the SEC’s observations are very useful, particularly for registered broker-dealers and investment advisers that want to evaluate their cybersecurity practices, policies, and procedures before examiners come knocking.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Maryam Meseha, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
