The SEC’s Office of Compliance Inspections and Examinations published a series of observations gleaned from hundreds of exams over a period of years. While OCIE’s charge is the inspection of registered investment entities, the observations of the exam staff offer important lessons for all in this critical and constantly evolving area. The observations are set-forth in Cybersecurity and Resiliency Observations, Office of Compliance Inspections and Examinations (Jan. 27, 2020)(here), detailed below.
Governance and risk management
An effective cybersecurity program begins with “tone at the top” and the involvement of senior enterprise executives. Four key building blocks are essential: senior level engagement; risk assessment; policy and procedure adoption; and communication of the policies and procedures in a timely manner.
Access rights and controls
The central question is the identification of the appropriate users which allows delimiting access. Three key elements should be examined: Access which is based on, and limited by, need; policies governing access tied to need; and monitoring to implement the policies.
Data loss prevention
This typically includes tools to ensure that sensitive data and client information is not lost or misused. Key tools include: Vulnerability scanning; perimeter security; detective security which searches for threats on endpoints; patch management covering all software; inventory hardware and software which is maintained and protected; encryption and network segmentation through the use of tools and processes designed to secure data and systems; insider threat monitoring; and securing legacy systems and equipment.
These devices can create additional concerns regarding security while having unique issues. Effectively dealing with these issues requires: Policies and procedures sesigned specifically for mobile devices; and the use of a mobile device management applications. If personal devices are used the program or system must be designed to cover all such devices. In addition, steps are required to prevent the duplication or saving information on personal devices along with specific training regarding such devices.
Incident response and resiliency
Two points to be considered are: First, the organization should have a plan with component elements that include: Developing risk assessment for various scenarios such as service attacks, malicious disinformation, ransomware, and others. Also to be addressed are the applicable federal and state reporting requirements. Second, strategies focused on resilience are required that include: Maintaining an inventory of core business operations and systems; and assessing risk tolerances tailored to the organization and maintaining the necessary back-up data.
Vendor management requires a program that includes: Elements to ensure that vendors meet the security requirements and take appropriate safeguards; understating the contractual and other terms and elements that govern the relationship; and appropriate monitoring and testing.
Training and awareness
Key to any plan is the training and awareness of employees. Policies and procedures here are used as a training guide for the training staff to implement the cybersecurity policies and procedures of the organization and engage employees. The program should also evaluate effectiveness.
In the end, cybersecurity is a multi-faceted program which must be addressed by every organization beginning with the tone that flows through the enterprise and is focused on the risks faced by the particular business.