Skip to Content
This January, in a continued effort to foster cybersecurity awareness, the Security and Exchange Commission released its latest examination observations: Cybersecurity and Resiliency Observations from the Office of Compliance Inspections and Examinations (“OCIE”). While the intended audience is market participants, the observations and lessons contained in the report provide easy to digest action points that are consistent with best practices with which most organizations should comply.
In developing its report, the OCIE examined thousands of transactions across a variety of industries as well as how industry participants attempt to stay informed concerning cyber-related risks and practices. While there is not a “one-size-fits-all” approach to cyber-resilience, the OCIE identifies numerous areas of best practices. The OCIE recommends that a company’s practices address critical issues including governance and risk management, access rights to and control of data, data loss prevention, mobile security, incident response and resiliency, vendor management, and training.[1]
As with many policies, in order to effectively implement its protocol, corporate leadership must prioritize cyber-resiliency and commit to the development and execution of relevant policies as an integral part of its business plan. The OCIE recommends incorporating “(i) a risk assessment to identify, analyze, and prioritize cybersecurity risks to the organization; (ii) written cybersecurity policies and procedures to address those risks… [including a paper copy] and (iii) the effective implementation and enforcement of those policies and procedures.” The process of developing these policies must begin with allotting time for review and input by senior corporate leadership, and must also ensure internal and external communication with key decision makers, employees, vendors and customers.
A company must also evaluate access rights and controls as part of its risk assessment. This process should involve (i) identifying the location of data – including sensitive client and employee data – throughout the organization; (ii) placing appropriate restrictions on systems in order to limit data access to necessary and authorized users; and (iii) establishing controls for monitoring and preventing unauthorized access to data. According to the OCIE, organizations can – and should – take simple steps in this area by, for example, periodically requiring password changes, adopting multifactor authentication, monitoring failed login attempts, and continually updating data access restrictions.
Best practices, of course, also require a company to update and monitor for deficiencies in technological protections. Corporations must also restrict vendor access to data, develop practices for ensuring that vendors who obtain data access have developed and adhere to appropriate cyber-risk management policies, and should develop contract and insurance protections.
Importantly, the OCIE identifies examples of specific practices that organizations have adopted to minimize the risk of a cyber-attack and to be best prepared to respond, in the event of such an attack. Clearly, the risk of an adverse cyber-event cannot be ignored, and corporations across the country must engage appropriate experts and practitioners to develop, implement and update its policies. The OCIE observations and recommendations serve as yet another reminder of the critical importance of cyber-resilience in this modern age.
[1] The report in its entirety can be found at: https://www.sec.gov/news/press-release/2020-20.