The Securities and Exchange Commission (SEC) is giving financial services organizations a look at favorable cybersecurity practices it has observed in “thousands of examinations” of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants.
The SEC information could serve as a valuable cybersecurity tip sheet for MSSPs (managed security services providers) that are moving into the financial services vertical.
In a 10-page document produced by the SEC’s Office of Compliance Inspections and Examinations (OCIE) fittingly entitled Cybersecurity and Resiliency Observations, the agency said it had taken note of a variety of industry practices and approaches that have proven successful in tamping down cybersecurity risk. The information spans these areas:
- Governance and risk management.
- Access rights and controls.
- Data loss prevention.
- Mobile security.
- Incident response and resiliency.
- Vendor management.
- Training and awareness.
The observations highlight specific examples of cybersecurity and operational resiliency practices and controls that organizations have taken to potentially safeguard against threats and respond to an incident. In allowing that not all of the practices will suit every organization, the SEC said it is “providing these observations to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency.”
While the report reads as a series of examples of how organizations successfully locking down their data and systems are worth emulating, the OCIE does recommend that organizations establish an incident response plan and contact local authorities or the Federal Bureau of Investigation if an attack or compromise is discovered or suspected. It also suggests informing regulators and sharing information, including indicators of compromise with the appropriate organizations, and notifying customers, clients, and employees promptly if their data is compromised.
“Through risk-targeted examinations in all five examination program areas, OCIE has observed a number of practices used to manage and combat cyber risk and to build operational resiliency,’ said Peter Driscoll, OCIE director. “We felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cybersecurity practices.”
Proper Risk Management and Governance
For example, in the governance and risk management section, the OCIE said it had observed organizations using the following risk management and governance measures:
- Senior level engagement.
- Risk assessment.
- Policies and procedures.
- Testing and monitoring.
- Continuously evaluating and adapting to changes.
- Communication.
Similarly, a section on data loss prevention covers measures the OCIE observed used by organizations, including vulnerability scanning, perimeter security and detective security among eight practices. In particular, establishing a patch management program covering all software and hardware, including anti-virus and anti-malware installation, was used by companies with solid data loss prevention policies and procedures.
The SEC’s document comes only a few days after the National Security Agency released guidance to help organizations mitigate issues such as cloud misconfigurations, poor access controls and shared tenancy and supply chain vulnerabilities.