SEC Offers Tips to Bolster Firms’ Cybersecurity Plans

The Securities and Exchange Commission’s exam division recently released a guide that outlines popular best practices used by firms to combat cybersecurity infractions, data loss and privacy breaches. According to the report, the observations are based on thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants.

In the 13-page document, the Office of Compliance Inspections and Examinations (OCIE) details the following areas: governance and risk management; access and controls, data loss prevention; mobile security; incident response and resiliency; vendor management; and training and awareness. The intent of the report is to highlight and share specific examples of cybersecurity and operational resiliency practices and controls that firms are taking to safeguard against threats, and how they respond in the event of a breach.

Recognizing that there is no such thing as a “one size fits all” approach, the following tips can be used to bolster your firm’s cybersecurity preparedness and operational resiliency:

Governance and Risk Management

The OCIE has observed organizations utilizing the following risk management and governance measures:

Senior Level Engagement: Devoting appropriate board and senior leadership attention to setting the strategy of and overseeing the organization’s cybersecurity and resiliency programs.

Risk Assessment: Developing and conducting a risk assessment process to identify, manage, and mitigate cyber risks relevant to the organization’s business.

Policies and Procedures: Adopting and implementing comprehensive written policies and procedures addressing the areas discussed below and identified risks.

Testing and Monitoring: Establishing comprehensive testing and monitoring to validate the effectiveness of cybersecurity policies and procedures on a regular and frequent basis. Testing and monitoring can be informed based on cyber threat intelligence.

Continuously Evaluating and Adapting to Changes: Responding promptly to testing and monitoring results by updating policies and procedures to address any gaps or weaknesses and involving board and senior leadership appropriately.

Communication: Establishing internal and external communication policies and procedures to provide timely information to decision makers, customers, employees, other market participants, and regulators as appropriate.

Access Rights and Controls

The OCIE has observed strategies related to access rights and controls at organizations that perform the following:

User Access: Developing a clear understanding of access needs to systems and data. This includes limiting access to sensitive systems and data, based upon the user’s needs to perform legitimate and authorized activities on the organization’s information systems, and requiring periodic account reviews.

Access Management: Managing user access through systems and procedures that limit access to the appropriate users, including during onboarding, transfers, and terminations. Among other standards, firms should also implement separation of duties for user access approvals.

Access Monitoring: Monitoring user access and developing procedures that monitor for failed login attempts and account lockouts and ensure proper handling of customers’ requests for user name and password changes, as well as procedures for authenticating anomalous or unusual customer requests.

Data Loss Prevention

The OCIE has observed the following data loss prevention measures utilized by organizations:

Vulnerability Scanning: Establishing a vulnerability management program that includes routine scans of software code, web applications, servers and databases, workstations, and endpoints both within the organization and applicable third party providers.

Perimeter Security: Implementing capabilities that are able to control, monitor, and inspect all incoming and outgoing network traffic to prevent unauthorized or harmful traffic.

Detective Security: Implementing capabilities that are able to detect threats on endpoints. Considering products that can utilize both signature and behavioral based capabilities and can identify incoming fraudulent communications to prevent unauthorized software or malware from running.

Patch Management: Establishing a patch management program covering all software (i.e., in-house developed, custom off-the-shelf, and other third party software) and hardware, including anti-virus and anti-malware installation.

Inventory Hardware and Software: Maintaining an inventory of hardware and software assets, including identification of critical assets and information (i.e., know where they are located, and how they are protected).

Encryption and Network Segmentation: Using tools and processes to secure data and systems, including: (i) encrypting data “in motion” both internally and externally; (ii) encrypting data “at rest” on all systems including laptops, desktops, mobile phones, tablets, and servers; and (iii) implementing network segmentation and access control lists to limit data availability to only authorized systems and networks.

Insider Threat Monitoring: Creating an insider threat program to identify suspicious behaviors, including escalating issues to senior leadership as appropriate. Increasing the depth and frequency of testing of business systems and conducting penetration tests.

Securing Legacy Systems and Equipment: Verifying that the decommissioning and disposal of hardware and software does not create system vulnerabilities by using processes to: (i) remove sensitive information from and prompt disposal of decommissioned hardware and software; and (ii) reassess vulnerability and risk assessments as legacy systems are replaced with more modern systems.

Mobile Security

The OCIE has observed the following mobile security measures at organizations utilizing mobile applications:

Policies and Procedures: Establishing policies and procedures for the use of mobile devices.

Managing the Use of Mobile Devices: Using a mobile device management (MDM) application or similar technology for an organization’s business, including email communication, calendar, data storage, and other activities. If using a “bring your own device” policy, ensuring that the MDM solution works with all mobile phone/ device operating systems.

Implementing Security Measures: Requiring the use of MFA for all internal and external users. Taking steps to prevent printing, copying, pasting, or saving information to personally owned computers, smartphones or tablets. Ensuring the ability to remotely clear data and content from a device that belongs to a former employee or from a lost device.

Training Employees: Training employees on mobile device policies and effective practices to protect mobile devices.

Incident Response and Resiliency

The OCIE has observed that many organizations with incident response plans tend to include:

– The Development of a Plan
– Addressing Applicable Reporting Requirements
– Assigning Staff to Execute Specific Areas of the Plan
– Testing and Assessing the Plan

Additionally, the OCIE has observed the following strategies to address resiliency:

– Maintaining an Inventory of Core Business Operations and Systems
– Assessing Risks and Prioritizing Business Operations
– Considering Additional Safeguards

Vendor Management

The OCIE has observed the following practices in the area of vendor management by organizations:

Vendor Management Program: Establishing a vendor management program to ensure vendors meet security requirements and that appropriate safeguards are implemented. Leveraging questionnaires based on reviews of industry standards as well as independent audits.

Understanding Vendor Relationships: Understanding all contract terms including rights, responsibilities, expectations, and other specific terms to ensure that all parties have the same understanding of how risk and security is addressed. Understanding and managing the risks related to vendor outsourcing, including vendor use of cloud-based services.

Vendor Monitoring and Testing: Monitoring the vendor relationship to ensure that the vendor continues to meet security requirements and to be aware of changes to the vendor’s services or personnel.

Training and Awareness

The OCIE has observed the following practices used by organizations in the area of cybersecurity training and awareness:

Policies and Procedures as a Training Guide: Training staff to implement the organization’s cybersecurity policies and procedures and engaging the workforce to build a culture of cybersecurity readiness and operational resiliency.

Including Examples and Exercises in Trainings: Providing specific cybersecurity and resiliency training, including phishing exercises to help employees identify phishing emails. Including preventive measures in training, such as identifying and responding to indicators of breaches, and obtaining customer confirmation if behavior appears suspicious.

Training Effectiveness: Monitoring to ensure employees attend training and assessing the effectiveness of training. Continuously re-evaluating and updating training programs based on cyber-threat intelligence.