The SEC’s Most Detailed Cybersecurity Guidance to Date

Posted on February 10, 2020, by James G. Lundy and Peter Baldwin in Cybersecurity, Enforcement, Office of Compliance Inspections and Examinations (OCIE). Comments Off on The SEC’s Most Detailed Cybersecurity Guidance to Date

The SEC, through its Office of Compliance Inspections and Examinations (“OCIE”), recently issued its most detailed cyber guidance to date. OCIE had previously issued several cybersecurity risk alerts over the past few years. This most recent release, however, offers much more than a risk alert. OCIE’s “Cybersecurity and Resiliency Observations” goes into significantly more detail than OCIE’s prior risk alerts in this area and is fashioned in a vastly different and more user-friendly format. Thus, it is required reading for SEC regulated entities because, rest assured, it will be closely followed and applied by OCIE staff conducting cyber examinations, as well as by the Division of Enforcement’s “Cyber Unit.”

Consistent with Chairman Jay Clayton’s prioritization of cybersecurity issues across the SEC’s divisions and offices, OCIE’s Cybersecurity and Resiliency Observations (“OCIE Cyber Observations”) detail the SEC’s and OCIE’s focus on cybersecurity issues. Specifically, the OCIE Cyber Observations highlight that:

  • In an environment in which cyber threat actors are becoming more aggressive and sophisticated—and in some cases are backed by substantial resources including from nation state actors—firms participating in the securities markets, market infrastructure providers and vendors should all appropriately monitor, assess and manage their cybersecurity risk profiles, including their operational resiliency.
  • The SEC has and will continue to focus on cybersecurity issues, with particular attention to market systems, customer data protection, disclosure of material cybersecurity risks and incidents, and compliance with legal and regulatory obligations under the federal securities laws.

The OCIE Cyber Observations cover the following topics: Governance and Risk Management; Access Rights and Controls; Data Loss Prevention; Mobile Security; Incident Response and Resiliency; Vendor Management; and Training and Awareness.

The OCIE Cyber Observations also recommend that registrants, issuers, other regulated entities, and investment professionals sign up for alerts published by the Cyber Infrastructure Security Agency. Further, the OCIE Cyber Observations encourage organizations to participate in information sharing groups through industry associations such as the Financial Services Information Sharing and Analysis Center. The OCIE Cyber Observations also provide insight and commentary on another key resource developed through the collaboration between government and industry: the National Institute of Standards and Technology Cybersecurity Framework.

The OCIE Cyber Observations conclude by stating that the SEC “encourage[s] market participants to review their practices, policies and procedures with respect to cybersecurity and resiliency.” As we have advised here previously, we recommend to our readers that they view SEC publications such as the OCIE Cyber Observations as guidance that should be followed and applied by regulated entities, as opposed to mere suggestion. The OCIE and Enforcement staff will be holding firms to this guidance. Thus, firms should proactively analyze the OCIE Cyber Observations, apply them to their businesses, and develop and implement remediation plans if necessary.

Comments are closed.

From the Blog:

The SEC Sees a Significant Uptick in Tips, Complaints, and Referrals

From mid-March to mid-May, the SEC received more than 4,000 tips, complaints, and referrals. This, according to one of the SEC Co-Directors of the...

CFTC Releases New Guidance Regarding Civil Monetary Penalties

Yesterday, the CFTC’s Division of Enforcement formally issued new guidance regarding the Division’s decisions to recommend the imposition of civil monetary penalties. According to...

SEC Enforcement Expanding Efforts Regarding Coronavirus Impacts

As we described several weeks ago, the SEC across the agency is going to be vigilant in its efforts to regulate, examine and enforce...