Recently, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) shared observations from “thousands” of examinations on industry practices and approaches to managing and combating cybersecurity risk and the maintenance and enhancement of operational resiliency (the “Report”).
The Report organizes its observations under seven categories consisting of:
- governance and risk management
- access rights and controls
- data loss prevention
- mobile security
- incident response and resiliency
- vendor management
- training and awareness
While the Report acknowledges that there is no “one-size fits all” approach to cybersecurity and resiliency and that not all of the identified practices may be appropriate for all organizations, it can be expected that OCIE’s examiners will structure their cybersecurity examination inquiries around the listed categories. For this reason, registrants subject to OCIE’s oversight are advised to consider how well their cybersecurity programs address each of the categories and subcategories set forth in the Report.
In undertaking this review, registrants should give special attention to the risk management program underlying their cybersecurity practices. In particular, registrants should consider whether they have conducted a robust and thorough risk assessment that is reasonably designed to identify, analyze and prioritize cybersecurity risks. Registrants should also consider whether their risk management program satisfies the applicable governance and other measures set forth in OCIE’s Report, including senior level engagement, and whether the program is appropriately documented in the form of policies and procedures, subject to regular and frequent testing and monitoring, updated promptly in response to identified weaknesses or gaps or changes in a registrant’s business, and provides for timely communication of information both internally and externally, including to decision makers, customers, employees and regulators.
