On January 27, 2020, the US Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) issued a 13-page report of observations from its examinations of market participants’ cybersecurity and operational resiliency practices.1 This Legal Update discusses the content and context of the report and its implications for entities subject to examination by OCIE.
The report outlines practices for managing cybersecurity risk and enhancing operational resiliency that OCIE observed over “thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges, and other SEC registrants” (collectively, “regulated entities”), and groups these practices into seven broad categories. While OCIE describes the report as a collection of practical observations and recognizes that there is no “one-size fits all” prescription,2 OCIE “felt it was critical to share these observations in order to allow organizations to reflect on their own cybersecurity practices.”
Given OCIE’s long-standing and continuing focus on cybersecurity in its examinations, which was echoed in its examination priorities for 2020,3 regulated entities should take note of the practices identified by OCIE in this report and consider implementing such practices as appropriate. The report, which serves as a useful “checklist” that regulated entities can use to evaluate their own policies, procedures and practices, is discussed in more detail below:
Governance and Risk Management
At the outset, OCIE made clear that “[e]ffective cybersecurity programs start with the right tone at the top, with senior leaders who are committed to improving their entity’s cyber posture through working with others to understand, prioritize, communicate, and mitigate cybersecurity risks.”
OCIE identified several practices regulated entities have used to implement effective risk management and governance measures, including risk assessments to identify, analyze, manage, mitigate and prioritize cybersecurity risks relevant to the entity’s business risks and model;4 written policies and procedures to address those risks, and the effective implementation and enforcement of those policies and procedures.
OCIE observed additional governance and risk management measures, such as: comprehensive testing and monitoring to validate the effectiveness of cybersecurity programs “on a regular and frequent basis” and informed by cyber threat intelligence. Other practices it identified were responding promptly to the monitoring and testing results by updating cybersecurity programs—including appropriate senior-level engagement—and internal and external communication policies and procedures to provide timely information to relevant stakeholders.5
Access Rights and Controls
OCIE states that access controls generally include: (i) understanding the location of data, including client information, throughout a regulated entity; (ii) restricting access to systems and data to authorized users; and (iii) establishing appropriate controls to prevent and monitor for unauthorized access.
OCIE observed the following access control approaches: (i) developing a clear understanding of access needs to systems and data (including limiting access to systems and data based on those needs and requiring periodic reviews); (ii) managing user access through systems and procedures;6 and (iii) monitoring user access (including failed login attempts and account lockouts) and developing controls for (a) authenticating customer user name and password change requests as well as anomalous or unusual customer requests, (b) consistently reviewing for system hardware and software changes, and (c) approving and properly implementing changes and investigating anomalies.
Data Loss Prevention
OCIE identified a number of tools and processes used by regulated entities to ensure sensitive information is not lost, misused, or accessed by unauthorized users:
- Conducting routine internal and external vulnerability scans of software code, web applications, servers and databases, workstations, and endpoints;
- Implementing processes to control, monitor, and inspect network traffic to prevent unauthorized or harmful traffic (e.g., firewalls, intrusion detection systems, email security capabilities, and web proxy systems with content filtering);
- Using an enterprise data loss prevention solution that can monitor and block access to personal email, cloud-based file sharing services, social media sites, and removable media (e.g., USBs, CDs);
- Using endpoint threat detection capabilities, as well as products that have both signature and behavioral-based capabilities and can identify incoming fraudulent communications; capturing and retaining for analysis logs from systems and applications; and, for software with automated action functionality (e.g., macros and scripts), enabling optional security features or following the security guidance that may be offered by third-party software providers;
- Establishing a patch management program for all software (whether developed in-house or by a third party) and hardware;
- Maintaining a hardware and software asset inventory (and within that, identifying critical assets and critical information sources/storage, their location and their related security profile);
- Using data/system security tools (e.g., internally and externally encrypting data “in motion” and “at rest” on all systems, including laptops, desktops, mobile phones, tablets, and servers and implementing network segmentation and access control lists);
- Identifying suspicious behaviors for potential insider threats; enhancing business systems testing (depth and frequency) and conducting penetration tests; identifying and blocking the external transmission of sensitive data (e.g., account numbers, social security numbers, trade information, and source code); monitoring corrective actions; and
- Managing and controlling the decommissioning and disposal of hardware and software (e.g., removing sensitive information and reassessing vulnerability and risk assessments).
OCIE believes that mobile devices and applications may create additional and unique vulnerabilities.OCIE highlighted several practices that firms have taken in this regard:
- Establishing mobile device policies and procedures;
- Using a mobile device management application or similar technology;
- Requiring multi-factor authentication for users; preventing printing, copying, pasting, or saving of information to personally-owned devices; remotely clearing data and content from a lost or a former employee’s device;
- Training users regarding mobile device policies and how to protect them.
Incident Response and Resiliency
According to OCIE,incident response “includes: (i) the timely detection and appropriate disclosure of material information regarding incidents; and (ii) assessing the appropriateness of corrective actions taken in response to incidents.” OCIE believes that a key part of an incident response plan is business continuity and resiliency. With that background, OCIE observed that many regulated entities with incident response plans tended to include the following elements:
- Developing a risk-assessed incident response plan for various scenarios (e.g., denial of service attacks, malicious disinformation, ransomware, key employee succession) and “extreme but plausible scenarios”;
- Considering past cybersecurity incidents and current cyber threat intelligence in developing business continuity plans;
- Incorporating escalation, notification, reporting, disclosure, communications and response protocols;7
- Assigning specific roles and responsibilities to staff and identifying additional cybersecurity and recovery expertise in advance;
- Testing the plan as well as recovery times using a variety of methods including tabletop exercises; and
- Assessing the firm’s response to an actual incident.
Regarding resiliency, OCIE observed the following practices:
- Identifying and prioritizing key business services; understanding the impact of a failure on business services; mapping business support systems and processes (internal and external);
- Developing an operational resiliency strategy that: (i) identifies and considers “substitutable” systems and processes; (ii) considers geographic separation of back-up data and seeks to avoid concentration risk; and (iii) considers business disruption impact on both the firm’s stakeholders and other organizations;
- Maintaining back-up data in a different network and offline; and
- Considering cybersecurity insurance.
According to OCIE, vendor management policies and procedures generally include the following: (i) conducting vendor due diligence; (ii) monitoring and overseeing vendors; (iii) incorporating an assessment of vendor relationships in the firm’s ongoing risk assessment process (which serves to inform the nature and extent of vendor due diligence); and (iv) assessing the vendor’s own information protection controls.
OCIE observed the following vendor management practices:
- Establishing due diligence and monitoring procedures and controls to ensure vendors meet and continue to meet security requirements and to be aware of changes to vendor services, personnel or risk profiles; using questionnaires based on, for example, SOC 2 (SSAE 18) and independent audits; establishing procedures for terminating or replacing vendors and exercising other contractual rights.
- Understanding the details of the vendor relationship to ensure that all parties have the same understanding regarding risk and security; understanding and managing outsourcing risks presented by vendor’s use of other third parties, such as cloud-based service providers.
Notably, OCIE also highlighted vendor oversight in its 2020 examination priorities.8
Training and Awareness
According to OCIE, training and awareness are key components of cybersecurity programs. OCIE highlighted several training practices observed in its examinations, including using policies and procedures as a training guide to develop a culture of cybersecurity readiness and operational resiliency; using examples and exercises—such as phishing simulations and suspicious behavior or potential breach indicators—in training efforts; and monitoring training attendance and assessing training effectiveness (including continuously re-evaluating and updating training programs based on cyber threat intelligence).
In the report’s conclusion,9 OCIE encouraged market participants to review their cybersecurity and operational resiliency practices, and noted that implementation of some or all of the practices described in the report will lead to improved security. Given the steady ratcheting up of cybersecurity expectations in recent years, there is a strong likelihood that OCIE will begin to incorporate these practices as supervisory expectations in future examinations.
1 SEC Office of Compliance Inspections and Examinations Publishes Observations on Cybersecurity and Resiliency Practices, SEC (Jan. 27, 2020), https://www.sec.gov/news/press-release/2020-20 [hereinafter “Press Release”].
2 OCIE, Cybersecurity and Resiliency Observations, SEC (Jan. 27, 2020), https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf [hereinafter “Report”].
3 See our Legal Updates on the SEC’s activities at: https://www.mayerbrown.com/en/perspectives-events/publications/2019/04/secs-ocie-issues-risk-alert-for-investment-adviser-and-brokerdealer-compliance-issues-related-to-regulation-sp; https://www.mayerbrown.com/en/perspectives-events/publications/2018/10/sec-brings-first-enforcement-action-under-the-iden; https://www.mayerbrown.com/en/perspectives-events/publications/2017/10/sec-is-serious-about-cybersecurity-compliance; https://www.mayerbrown.com/en/perspectives-events/publications/2017/08/us-securities-and-exchange-commissions-office-of-c.
4 In terms of potential risks, OCIE specifically mentioned those associated with remote or traveling employees, insider threats, international operations and geopolitical risks. While not specifically mentioned, changes to an organization’s business model as part of an acquisition or organic growth can present different cyber risks.
5 According to OCIE, this includes decision makers, customers, employees, other market participants, and regulator as appropriate. Firms also might consider communications with their affiliates and vendors/service providers.
6 In this regard, OCIE observed the following user management strategies: (i) limiting access during all phases of the user’s relationship with the firm, e.g., onboarding, transfers, terminations, whether the user is an employee, contractor, service provider or otherwise; (ii) separating duties for user access approvals; (iii) periodically re-certifying users’ access rights on a periodic basis (paying particular attention to accounts with elevated privileges); (iv) implementing password management and related controls; (v) leveraging multi-factor authentication, an application or key fob to generate an additional verification code; and (vi) revoking system access immediately for individuals no longer employed by the organization.
7 This should include contract law enforcement, informing regulators, and notifying customers or employees.
8 SEC Office of Compliance Inspections and Examinations Announces 2020 Examination Priorities, SEC (Jan. 7, 2020), https://www.sec.gov/news/press-release/2020-4. See our Legal Update on the 2020 examination priorities at: https://www.mayerbrown.com/en/perspectives-events/publications/2020/01/ocies-2020-examination-priorities-variations-on-recurring-themes.
9 The report also included a section on key resources (including the SEC’s cybersecurity page and CISA alerts), which regulated entities may find helpful.