The Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) recently announced the publication of a report entitled “Cybersecurity and Resiliency Observations.” The report summarizes the observations gleaned from OCIE’s cybersecurity examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants.
The report details observations in a number of key areas, including (1) governance and risk management, (2) access rights and controls, (3) data loss prevention, (4) mobile security, (5) incident response and resiliency, (6) vendor management and (7) training and awareness.
Some key recommendations for regulated entities include:
- developing and updating a vulnerability management program;
- securing their legacy systems and equipment that contain personal information; and
- ensuring clearly-defined communication channels in the event of an information security incident.
In announcing the report, SEC Chairman Jay Clayton noted that, “cybersecurity and resiliency are at the core of OCIE’s inspection efforts.” Similarly, the Director of OCIE stated that “it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cybersecurity practices.”