It may seem that when you seen one set of cybersecurity guidelines, you’ve seen……one set of cybersecurity guidelines. Every vendor, every regulation, every client is looking for something similar, but not quite the same when it comes to cybersecurity. Maybe there’s some hope, for U.S. businesses, at least, coming from the Securities and Exchange Commission.
At the end of January, the SEC’s Office of Compliance Inspections and Examinations (OCIE) released a report of cybersecurity guidelines based on observations made during “thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants.” The report details a series of cybersecurity practices within 7 key areas of concentration:
#1 Governance and Risk Management
The report emphasizes the role senior leadership needs to play in defining and implementing cybersecurity strategies for the organization. Board members and other senior leaders should oversee the adoption and regular updating of policies and procedures based on an organization-specific risk assessment as well as establish proper communication channels regarding cyber threats throughout all levels of the organization.
#2 Access Rights and Controls
The report also highlights the need for organizations to limit access to sensitive information only to those who need it for specific and legitimate purposes. The OCIE recommends organizations frequently reevaluate access privileges and implement systems to monitor unauthorized access attempts.
#3 Data Loss Prevention
The OCIE also outlines a number of steps organizations should take towards preventing the loss or exposure of sensitive information. This includes measures such as frequent vulnerability scans, encryption and network segmentation, and insider threat monitoring.
#4 Mobile Security
Organizations should also have policies and monitoring systems in place for the use of mobile devices for business purposes. The OCIE recommends training employees on mobile security as well as requiring the use multi-factor identification for any business applications used on mobile devices.
#5 Incident Response and Resiliency
Developing and testing a response plan for any cybersecurity incidents is also an important area for organizations to concentrate. The OCIE recommends assigning and training specific staff members in incident response, simulating an incident to test response effectiveness, and updating the response plan based on testing.
#6 Vendor Management
Because vendors may have access to an organization’s information, the OCIE also recommends implementing policies to assess and monitor vendors’ security posture. This includes reviewing vendor contracts and implementing a vendor management program.
#7 Training and Awareness
Lastly, the OCIE encourages organizations to provide training in cybersecurity for all employees. Organization leadership should develop the training based on the their specific security policies and use training programs that actively engage employees.
Implications
While the cybersecurity guidelines that the OCIE outlines cannot ensure compliance or prevent liability concerns, many consider the report as a strong and practical roadmap for organizations to consider. In an article for the Legal Intelligencer, Devin Chwastyk laments the legal ambiguity of what is considered “reasonable care” with regards to safeguarding sensitive information and sees the steps outlined in the SEC’s report as offering “practicable (and understandable) advice on how [organizations] might start to try to avoid liability for a data security incident.” The National Law Review also notes that, while the report is aimed at the financial sector, it provides “helpful benchmarks” for a variety of industries. Moreover, given the SEC’s strong focus on cybersecurity in the past few years, there is speculation that this report could help inform regulation enforcement determinations in the future.