The SEC Commission's Office of Compliance Inspections and Examinations (OCIE) today issued examination observations related to cybersecurity and operational resiliency practices taken by market participants.
The observations highlight certain approaches taken by market participants in the areas of governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. The observations highlight specific examples of cybersecurity and operational resiliency practices and controls that organizations have taken to potentially safeguard against threats and respond in the event of an incident.
“Data systems are critical to the functioning of our markets and cybersecurity and resiliency are at the core of OCIE’s inspection efforts,” said SEC Chairman Jay Clayton. “I commend OCIE for compiling and sharing these observations with the industry and the public and encourage market participants to incorporate this information into their cybersecurity assessments.”
“Through risk-targeted examinations in all five examination program areas, OCIE has observed a number of practices used to manage and combat cyber risk and to build operational resiliency,’ said Peter Driscoll, Director of OCIE. “We felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cybersecurity practices.”
OCIE conducts examinations of SEC-registered investment advisers, investment companies, broker-dealers, self-regulatory organizations, clearing agencies, transfer agents, and others. It uses a risk-based approach to examinations to fulfill its mission to promote compliance with U.S. securities laws, prevent fraud, monitor risk, and inform SEC policy.
OCIE has observed organizations utilizing the following risk management and governance measures:
• Senior Level Engagement. Devoting appropriate board and senior leadership attention to setting the strategy of and overseeing the organization’s cybersecurity and resiliency programs.
• Risk Assessment. Developing and conducting a risk assessment process to identify, manage, and mitigate cyber risks relevant to the organization’s business. This includes considering the organization’s business model, as part of defining a risk assessment methodology, and working to identify and prioritize potential vulnerabilities, including remote or traveling employees, insider threats, international operations and geopolitical risks, among others.
• Policies and Procedures. Adopting and implementing comprehensive written policies and procedures addressing the areas discussed below and identified risks.
• Testing and Monitoring. Establishing comprehensive testing and monitoring to validate the effectiveness of cybersecurity policies and procedures on a regular and frequent basis. Testing and monitoring can be informed based on cyber threat intelligence.
• Continuously Evaluating and Adapting to Changes. Responding promptly to testing and monitoring results by updating policies and procedures to address any gaps or weaknesses and involving board and senior leadership appropriately.
• Communication. Establishing internal and external communication policies and procedures to provide timely information to decision makers, customers, employees, other market participants, and regulators as appropriate.
OCIE has observed strategies related to access rights and controls at organizations that perform the following:
• User Access. Developing a clear understanding of access needs to systems and data. This includes limiting access to sensitive systems and data, based upon the user’s needs to perform legitimate and authorized activities on the organization’s information systems, and requiring periodic account reviews.
• Access Management. Managing user access through systems and procedures that:
(i) limit access as appropriate, including during onboarding, transfers, and terminations;
(ii) implement separation of duties for user access approvals;
(iii) re-certify users’ access rights on a periodic basis (paying particular attention to accounts with elevated privileges including users, administrators, and service accounts);
(iv) require the use of strong, and periodically changed, passwords;
(v) utilize multi-factor authentication (MFA) leveraging an application or key fob to generate an additional verification code; and
(vi) revoke system access immediately for individuals no longer employed by the organization, including former contractors.
• Access Monitoring. Monitoring user access and developing procedures that: (i) monitor for failed login attempts and account lockouts; (ii) ensure proper handling of customers’ requests for user name and password changes as well as procedures for authenticating anomalous or unusual customer requests; (iii) consistently review for system hardware and software changes, to identify when a change is made; and (iv) ensure that any changes are approved, properly implemented, and that any anomalies are investigated.
OCIE has observed the following data loss prevention measures utilized by organizations:
• Vulnerability Scanning. Establishing a vulnerability management program that includes routine scans of software code, web applications, servers and databases, workstations, and endpoints both within the organization and applicable third party providers.
• Perimeter Security. Implementing capabilities that are able to control, monitor, and inspect all incoming and outgoing network traffic to prevent unauthorized or harmful traffic. These capabilities include firewalls, intrusion detection systems, email security capabilities, and web proxy systems with content filtering. Implementing an enterprise data loss prevention solution capable of monitoring and blocking access to personal email, cloud-based file-sharing services, social media sites, and removable media such as USB and CDs.
• Detective Security. Implementing capabilities that are able to detect threats on endpoints. Considering products that can utilize both signature and behavioral-based capabilities and can identify incoming fraudulent communications to prevent unauthorized software or malware from running. Establishing policies and procedures to capture and retain system logs from systems and applications for aggregation and analysis. For software that provides automated actions, such as macros and scripts, enabling optional security features or following the security guidance that may be offered by third-party software providers.
Patch Management. Establishing a patch management program covering all software (i.e., in-house developed, custom off-the-shelf, and other third-party software) and hardware, including anti-virus and anti-malware installation.
• Inventory Hardware and Software. Maintaining an inventory of hardware and software assets, including identification of critical assets and information (i.e., know where they are located, and how they are protected).
• Encryption and Network Segmentation. Using tools and processes to secure data and systems, including: (i) encrypting data “in motion” both internally and externally; (ii) encrypting data “at rest” on all systems including laptops, desktops, mobile phones, tablets, and servers; and (iii) implementing network segmentation and access control lists to limit data availability to only authorized systems and networks.
• Insider Threat Monitoring. Creating an insider threat program to identify suspicious behaviors, including escalating issues to senior leadership as appropriate. Increasing the depth and frequency of testing of business systems and conducting penetration tests. Creating rules to identify and block the transmission of sensitive data (e.g., account numbers, social security numbers, trade information, and source code) from leaving the organization. Tracking corrective actions in response to findings from testing and monitoring, material changes to business operations or technology, and any other significant events.
• Securing Legacy Systems and Equipment. Verifying that the decommissioning and disposal of hardware and software does not create system vulnerabilities by using processes to: (i) remove sensitive information from and prompt disposal of decommissioned hardware and software; and (ii) reassess vulnerability and risk assessments as legacy systems are replaced with more modern systems.
Mobile devices and applications may create additional and unique vulnerabilities. OCIE has observed the following mobile security measures at organizations utilizing mobile applications:
• Policies and Procedures. Establishing policies and procedures for the use of mobile devices.
• Managing the Use of Mobile Devices. Using a mobile device management (MDM) application or similar technology for an organization’s business, including email communication, calendar, data storage, and other activities. If using a “bring your own device” policy, ensuring that the MDM solution works with all mobile phone/ device operating systems.
• Implementing Security Measures. Requiring the use of MFA for all internal and external users. Taking steps to prevent printing, copying, pasting, or saving information to personally owned computers, smartphones or tablets. Ensuring the ability to remotely clear data and content from a device that belongs to a former employee or from a lost device.
• Training Employees. Training employees on mobile device policies and effective practices to protect mobile devices.
OCIE has observed that many organizations with incident response plans tend to include the following elements:
• Development of a Plan. Developing a risk-assessed incident response plan for various scenarios including denial of service attacks, malicious disinformation, ransomware, key employee succession, as well as extreme but plausible scenarios. Considering past cybersecurity incidents and current cyber-threat intelligence in developing business continuity plans and policies and procedures. Establishing and maintaining procedures that include: (i) timely notification and response if an event occurs; (ii) a process to escalate incidents to appropriate levels of management, including legal and compliance functions; and (iii) communication with key stakeholders.
Training and awareness are key components of cybersecurity programs. Training provides employees with information concerning cyber risks and responsibilities and heightens awareness of cyber threats. OCIE has observed the following practices used by organizations in the area of cybersecurity training and awareness:
• Policies and Procedures as a Training Guide. Training staff to implement the organization’s cybersecurity policies and procedures and engaging the workforce to build a culture of cybersecurity readiness and operational resiliency. • Including Examples and Exercises in Trainings. Providing specific cybersecurity and resiliency training, including phishing exercises to help employees identify phishing emails. Including preventive measures in training, such as identifying and responding to indicators of breaches, and obtaining customer confirmation if behavior appears suspicious.
• Training Effectiveness. Monitoring to ensure employees attend training and assessing the effectiveness of training. Continuously re-evaluating and updating training programs based on cyber-threat intelligence.
The full document can be found here.
To learn more:
1) Read cybersecurity essentials – a simple list that will help most organizations become far more secure.
2) Get a free evaluation of your cybersecurity risk from an MSP/MSSP immediately – they can also help you build in the needed compliance to reduce the risk of being fined