What Happened?

The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) issued a detailed report on January 27, 2020 regarding various ways for organizations to safeguard data and protect against security and data breaches. Cyber threat actors are now invading data in a more sophisticated manner than ever before, and implementation of the SEC’s recommended practices are essential in order to protect from outside vulnerabilities.

What is at Risk?

If market participants fail to implement these recommended policies, they will become more vulnerable to external attacks and data breaches. This can weaken an organization or firm if all employees are not properly trained and informed of the increasing dangers of cybersecurity breaches.

What Can You Do to Protect Yourself from a Cybersecurity Threat?

1. Governance and Risk Management. Senior leaders should make efforts to improve the cyber safety at their organization. Some of these efforts may include:

• Devote attention to overseeing the organization’s cybersecurity and resilience programs;
• Develop a risk assessment process to identify and mitigate cybersecurity risks to the organization;
• Adopt and implement policies and procedures regarding these risks;
• Promptly respond and adapt to changes by updating policies and procedures when necessary; and
• Establish communication policies and procedures to provide timely information to customers, employees, and others when needed.

2. Access Rights and Controls. Implement updated controls to determine appropriate users for organization systems, limit access as appropriate to authorized users (including the set-up of multi-factor authentication) and monitor user access.

3. Data Loss Prevention. OCIE has recommended various important data loss prevention measures for organizations:

• Establish a vulnerability management program;
• Implement capabilities that can monitor network traffic and detect threats on endpoints;
• Establish a patch management program covering all software and hardware;
• Maintain an inventory of hardware and software assets;
• Encrypt data and implement network segmentation;
• Create an insider threat program to monitor any suspicious behaviors; and
• Secure legacy systems and equipment through disposal of sensitive information from hardware and software and by reassessing vulnerability and risk assessments.

4. Mobile Security. Establish policies and procedures for mobile device use, manage use of mobile devices through a mobile device management application, implement security measures for internal and external users, and train employees on mobile device policies and effective practices.

5. Incident Response and Resiliency. Detect and disclose material information regarding incidents in a timely manner and assess appropriateness of corrective actions taken in response to incidents. Organizations should develop a plan if an incident occurs, address applicable reporting requirements, assign staff to execute specific areas of the plan, and test and assess the plan. In the event that a data breach occurs, an organization should improve its resiliency by maintaining an inventory of core business services and prioritizing business operations based on an assessment of risks

6. Vendor Management. Establish a vendor management program to ensure that vendors meet your organization’s security requirements. Organizations should aim to understand all contract terms with vendors to ensure that all parties are in agreement regarding risk and security. Organizations should also monitor third-party vendors and ensure that the vendor continues to meet the organization’s security requirements.

7. Training and Awareness. Train staff to implement cybersecurity policies of the organization. Organizations should provide cybersecurity and resiliency training and re-evaluate the effectiveness of training procedures.

A Final Reminder for Organizations

Organizations should strive to implement as many of the SEC’s recommended protection measures as possible. Ensuring that senior members of an organization are leading the initiative in increased awareness about cybersecurity threats through training of employees will lead to greater cyber safety for the overall organization. Although prevention of all breaches cannot be guaranteed, developing data loss prevention plans to keep the organization and its core businesses safe from attack will benefit the entire organization.

How We Can Help

If you feel that your business falls below the SEC’s recommended security measures, our firm can assist with compliance. Contact us for a free initial consultation to determine a reasonable and practical way for your business to become compliant with these guidelines.