The SEC's Office of Compliance Inspections and Examinations ("OCIE") released a report detailing its cybersecurity and resiliency observations, which may suggest benchmarks for future inspections and could inform possible enforcement determinations.

On January 27, 2020, OCIE issued a report detailing cybersecurity and resiliency observations the staff made after "thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges, and other SEC registrants." The report offers a snapshot of current market practices in seven key areas:

  1. Governance and Risk Management
  2. Access Rights and Controls
  3. Data Loss Prevention
  4. Mobile Security
  5. Incident Response and Resiliency
  6. Vendor Management
  7. Training and Awareness.

Going Beyond Written Policies to Continuously Implemented Practices

The report stressed the need for something more than the one-time establishment of policies and procedures and instead encouraged organizations to engage in continual testing and monitoring for compliance, as well as periodic risk assessments of threats and safeguards. Other observed policies and procedures outlined in the report include those pertaining to user access management, vulnerability and perimeter scanning, encryption and network segmentation, mobile device management applications, incident response planning and testing, vendor management programs, training and awareness, and others.

Implications

Enforcement actions to date have generally focused on regulated entities that maintained what the agency viewed as inadequate cybersecurity policies and procedures under Regulations S-P and S-ID. And in its 2020 Examination Priorities and earlier statements, OCIE has consistently identified governance and risk assessment, access rights and control, data loss prevention, vendor management, training, and incident response as key areas of focus. In the recent report, OCIE added mobile security as an additional stand-alone area of focus.

The report notes that "there is no such thing as a 'one-size fits all' approach." Because the report identifies what OCIE has favorably observed in recent examinations of cybersecurity programs, however, the observations may suggest benchmarks for future inspections and could inform possible enforcement determinations.