SEC Issues New Guidance on Cybersecurity and Resiliency: Is your firm prepared?

Firms should conduct risk assessments to identify cybersecurity risks specific to their organizations (e.g., remote or traveling employees, insider threats, international operations and geopolitical risks). Firms should also adopt and implement comprehensive written polices to address such risks and establish and conduct regular and frequent testing and monitoring of their cybersecurity policies and programs. If testing uncovers vulnerabilities, firms should respond promptly to address any gaps and weaknesses in their policies. Finally, OCIE noted that active engagement from a firm’s senior leadership is a hallmark of an effective cybersecurity program. A firm’s senior leaders and board should therefore devote appropriate attention to understanding, prioritizing, communicating and mitigating cybersecurity risks.

Firms should implement and actively monitor access controls that limit access to sensitive systems and data to those with a legitimate and authorized business need. Access should, among other things: (i) be monitored, adjusted and terminated, as appropriate, during personnel onboarding, transfers and terminations; (ii) be periodically recertified, particularly for users with elevated privileges; (iii) require the use of strong and periodically changed passwords; and (iv) utilize multi-factor authentication, including through applications or key fobs that generate an additional verification code. Firms should also monitor for failed login requests, account lockouts and requests for username and password changes.

Firms should implement vendor management programs to engage and monitor vendors that meet requisite security requirements, including by leveraging questionnaires based on industry standards and arranging for independent audits. Firms should also understand all vendor contract terms, including how responsibilities and expectations are allocated between the firm and the vendor, and to ensure that the firm has procedures in place to terminate or replace vendors as necessary. Each vendor relationship should be reevaluated on an ongoing basis to ensure that vendors are adapting to new cyber-threats and a firm’s evolving business.

Firms should develop a risk-assessed incident response plan to address various cybersecurity breaches and other incidents (including, among other scenarios, denial of services attacks, malicious disinformation, ransomware and key employee succession). Firms should implement, maintain and regularly test policies and procedures that address, among other things: (i) timely notification and response if an event occurs; (ii) a process to escalate incidents to the appropriate levels of management, including legal and compliance; and (iii) communication with key stakeholders, including notifying customers, clients and employees that their data is compromised. Firms should have a plan in place to communicate with the appropriate regulatory authorities and to comply with any applicable reporting requirements. In addition, firms should designate and train employees for specific roles and responsibilities in the event of a cyber incident. Finally, firms should assess vulnerabilities specific to their business operations and should consider implementing safeguards (e.g., back-up systems, geographic separation of back-up data, cyber insurance, etc.) to ensure the resiliency of core business operations and systems in the event of a cyber incident. 

OCIE identified employee training as a key component of an effective cybersecurity program. Firms should train staff on the implementation of the firm’s cybersecurity program, including by providing specific cybersecurity and resiliency training (e.g., phishing exercises and exercises to help employees identify and respond to indicators of suspicious behavior and breaches). Firms should also monitor to ensure employees attend trainings and should re-evaluate and update trainings to account for new cyber threats. 

Firms are encouraged to implement a mobile device management application or similar technology, including for email, calendar, data storage and other activities. Firms that utilize a “bring your own device” policy should ensure that their mobile device management solutions work with all mobile phone/device operating systems. Firms should also implement additional security measures (e.g., multi-factor authentication, preventing the transmission of sensitive information to personally-owned computers, tablets and smartphones, and ensuring the firm’s ability to remotely clear data from lost devices or devices belonging to former employees). Firms should also ensure that personnel and employees are trained on mobile device policies and best practices.

Firms should implement policies and procedures to ensure that sensitive information is not lost, misused or accessed by unauthorized users. Such policies and procedures include, among others:

• conducting routine scans of software code, web applications, servers, databases, workstations and endpoints within the firm and third-party providers;
• implementing firewalls, intrusion detection systems, email security capabilities and web proxy systems;
• monitoring access to personal email, cloud-based file sharing services, social media sites and removable media;
• implementing capabilities that detect threats on endpoints, including products that can identify incoming fraudulent communications to prevent unauthorized software or malware from running;
• establishing a patch management program covering all firm software and hardware, including anti-virus and anti-malware installation;
• maintaining an inventory of all of the firm’s hardware and software;
• utilizing encryption to secure data and systems;
• implementing programs to identify and block the transmission of sensitive data (e.g., account numbers, social security numbers, trade information and source code); and
• establishing procedures to ensure legacy hardware and software is decommissioned safely, including by removing sensitive information prior to disposal.

Market participants must always consider their businesses’ resources and operational needs when developing and implementing an effective cybersecurity program. Nevertheless, the measures discussed in OCIE’s most recent guidance provide useful insight into the industry practices and measures OCIE is likely to consider and evaluate in future examinations. While these measures are neither mandatory nor exhaustive, they are instructive and warrant particular attention. Firms should review their cybersecurity programs with these core data security elements in mind and consider improvements before their next examination.