On January 27, 2020, the U.S. Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued examination observations related to cybersecurity and operational resiliency practices (“Examination Observations”). The observations highlight a set of best practices by market participants in the following areas: (1) governance and risk management, (2) access rights and controls, (3) data loss prevention, (4) mobile security, (5) incident response and resiliency, (6) vendor management and (7) training and awareness. Cybersecurity has been a key priority for OCIE since 2012. Since then, it has published eight cybersecurity-related risk alerts, including an April 2019 alert addressing mobile security. OCIE has perennially included cybersecurity practices as part of its examination priorities (“Examination Priorities”) and listed all but mobile security as “particular focus areas” in the “information security” priority for 2020.
Although recognizing that not every practice may be appropriate for all registrants, OCIE highlighted the following measures observed in its examinations. As such, advisers should expect the SEC – in examinations and investigations – to consider these “best practices”.
- Governance and Risk Management. OCIE emphasized that the most effective cybersecurity programs start with the “tone at the top”. OCIE encouraged senior leadership to devote ongoing attention to improving an organization’s cybersecurity and resiliency programs and establishing communication policies and procedures with other decision makers and employees. Advisers should be prepared to receive questions during OCIE examinations about senior management’s awareness and oversight of the cybersecurity compliance program.
- Access Rights and Controls. OCIE observed that limiting access to the organization’s systems to authorized users is a key component of an effective cybersecurity program. Access controls should be able to discern the location of data, including client information, through periodic account reviews; restrict access to systems and data to authorized users; re-certify users’ access rights on a periodic basis; and establish controls to prevent and monitor for unauthorized access, such as by tracking failed login attempts. The degree to which OCIE would expect advisers to operate systems on a “need to know” basis or more closed architecture rather than an open architecture should become more apparent in the next examination cycle.
- Data Loss Prevention. Effective measures highlighted in the report include establishing routine scans of software code and web applications; implementing firewalls and web proxy systems; and blocking access to personal email, cloud-based file sharing services and social media sites. OCIE also encouraged registrants to establish an insider threat monitoring program to identify suspicious behaviors and elevate issues to senior leadership as appropriate.
- Mobile Security. OCIE warned that the use of mobile devices can increase vulnerabilities, and emphasized the need for policies and procedures governing mobile application and device use. Consistent with its April 2019 alert, OCIE noted the need for controls to prevent employees from storing information and data on personal devices and ensure the ability to remotely clear data and content from lost or old devices. Advisers should take this opportunity to review and update their policies in this area, with a particular focus on ensuring that they can – and will – be followed in practice.
- Incident Response and Resiliency. OCIE observed that many registrants’ incident response plans (“IRPs”) included policies and procedures to timely detect events and disclose material information regarding incidents. Key components of IRPs, according to OCIE, facilitate business continuity and resiliency, as well as compliance with federal and state data breaches reporting and consideration of notice to and information sharing with regulators as appropriate. In addition, OCIE observed that incident response plans tend to include procedures to escalate incidents to appropriate levels of management and communication with key stakeholders. Practical steps that advisers can take to implement these practices include periodically testing plans and recovery times, for example, through tabletop exercises, and maintaining an inventory of core business operations and systems. The report’s focus on response and resiliency planning suggest that examinations will consider how quickly and effectively an organization can respond and recover from an incident.
- Vendor Management. OCIE identified the importance of implementing internal policies regarding vendor management, including procedures for conducting diligence during vendor selection, considering vendor relationships in the registrant’s ongoing risk assessment process and assessing how vendors protect client information. The report highlighted that notable vendor management programs include implementing safeguards to ensure that vendors meet security requirements by using questionnaires on reviews of industry standards and independent audits. This item appears particularly important in light of OCIE’s emphasis on third-party vendor management in the Examination Priorities, particularly for vendors that provide cloud‑based computing software.
- Training and Awareness. OCIE emphasized the importance of effective cybersecurity training programs for employees. Effective training programs included exercises to help employees identify phishing emails, which the SEC previously identified as a potential means through which cyber-fraud occurs, and materials to help employees identify potential breaches before they occur. One benefit of training programs that OCIE observed is creating a culture of cybersecurity readiness.
Finally, OCIE encouraged advisers to review their cybersecurity and operational resiliency practices, policies and procedures. Advisers should ensure they are incorporating the Examination Observations into their policies and procedures to avoid potential deficiencies in examinations. While the Advisers Act and its implementing rules are principles‑based and do not require advisers to adopt any particular policies and procedures, the Examination Priorities and Examination Observations set out a clear expectation that advisers have and follow cybersecurity and operational resiliency policies. The refinement over the past year of Staff expectations through risk alerts, Examination Priorities, and Examination Observations suggests that policies in these areas should be periodically reviewed and updated.
The Examination Observations are one part of a Commission-wide focus on cybersecurity. Continued interest by the Enforcement Division in bringing cybersecurity cases appears likely given the close coordination between OCIE and Enforcement Division staff and the ramping up of the Enforcement Division’s Cyber Unit. In addition, the SEC recently approved a National Securities Clearing Corporation (“NSCC”) rule to establish cybersecurity requirements as a condition of membership. One requirement mandates, for example, that members and other entities connecting to NSCC’s network implement a cybersecurity framework that aligns with a recognized industry standard such as the NIST framework or FFIEC Cybersecurity Assessment Tool. While the Examination Observations are designed to address risks posed by individual registrants, the NSCC rule shows that the SEC views cybersecurity as a potential source of systemic risk. Moreover, many of the 4,000 firms that are NSCC members are SEC registrants subject to examination by OCIE. The NSCC rule may be viewed as an overt expression of the SEC’s expectations for cybersecurity best practices and as a way to indirectly impose prescriptive cybersecurity rules.