SEC Releases More Cyber Best Practices, Including Surprise Additions

In advance of National Data Privacy Day today, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) has just released a new summary of cybersecurity best practices it has observed over the course of thousands of examinations it has conducted over the past few years. In its Cybersecurity and Resiliency Observations, OCIE recognizes that while there is no universal approach to cybersecurity, there are several notable practices firms can strive for to safeguard against an increasingly sophisticated cybercriminal and to become more operationally resilient.

OCIE categorizes these strong practices into not only the six key risk areas it has commonly used for its cybersecurity examination initiatives, but also adds Mobile Device Security as its own category and expands Incident Response to include a focus on resiliency: (1) Governance and Risk Management, (2) Access Rights and Controls, (3) Data Loss Prevention (DLP), (4) Mobile Security, (5) Incident Response and Resiliency, and (6) Vendor Management, and (7) Training and Awareness.

Among the highlighted best practices are several controls previously identified by OCIE, as well as an expanded discussion of some newer focus areas. Similar to past risk alerts, OCIE’s focus on governance stems from a theme that cybersecurity is a risk that impacts the entire firm and cannot be effectively mitigated in a silo. Rather, organizations are better prepared if they have recognized cybersecurity as a firm-wide risk and addressed it with buy-in from senior management through a commitment to devote the necessary resources to conduct cyber risk assessments, enhance cyber policies, and regularly conduct cyber testing. Likewise, OCIE’s focus on access rights and controls reiterates the importance of strong access provisioning, change management, and termination procedures for staff and vendors, as well as a better understanding of who has access to what data and why.

Notably, OCIE’s observations in the DLP realm seem to focus more on detection capabilities – from identification of network vulnerabilities through scanning and penetration testing to controls combatting insider threats. While firms of all sizes can readily implement encryption and develop an inventory of systems without much cost, some DLP controls identifying suspicious behaviors can be more costly to implement in practice. Rules-based DLP systems require a lot of fine-tuning, and while they may catch data leakage of account numbers by email, there are many ways to circumvent such detection and they seem better suited to blocking the unintentional transmission of an account number rather than intentional activity. Multifactor Authentication (MFA) is noted by OCIE as a strong practice, and it does make it more difficult for hackers to access your data, but even MFA can be exploited by skilled hackers.

Mobile Security is a novel addition to OCIE’s list, including an expectation that firms are addressing the use of mobile devices, including Bring Your Own Device (BYOD) environments, through policies, procedures, and software solutions that enable the ability to remotely wipe sensitive data from mobile devices of terminated staff.

Yet another new addition is the inclusion of “Resiliency” in OCIE’s focus on Incident Response. Here, OCIE sets a clear expectation that a strong incident response program not only provides for tackling incidents when they occur, but is proactively designed with risk mitigation in mind and maintained to take changes in data privacy regulations and reporting requirements into consideration.

There are a number of ways to test one’s incident response plan that do not involve intentionally releasing malware onto one’s network. Tabletop exercises simulating incident scenarios are an effective method to ensure roles and responsibilities are understood, and proactive phishing testing can help identify opportunities for increased staff awareness of susceptibility to causing an incident at one’s firm. Although OCIE notes that the best practices it has observed are not a one-size-fits-all solution, unfortunately the centralized logging and log analysis capabilities identified by OCIE as a best practice are generally controls that only larger organizations will have the budget and internal resources to implement.

As OCIE notes in the preamble to its guidance, cybersecurity threats “are significant and increasing,” and are “becoming more aggressive and sophisticated” – so it is therefore no surprise that OCIE has recognized cybersecurity as a key priority for the past eight years, with no end in sight. The apparent goal: through a continued focus and through the release of updated guidance on how industry peers are tackling such issues, to help raise the collective bar in combating cybersecurity risks.


If you need more help, CSS offers Shield, a a cyber solution designed to take the worry of securing firm and client information off your plate. Or for a deep dive on the important topic, consider joining us at our upcoming Spring Compliance Conference in Sarasota, Florida.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Latest Content

Breakdown of OCIE’s COVID-19 Compliance Risks Alert

The SEC’s “Office of Compliance Inspections and Examinations (“OCIE”) issued an Alert today regarding “Select COVID-19 Compliance Risks for Investment Advisers and Broker-Dealers.” OCIE shared observations regarding six broad categories: protection of investors’ assets; supervision of personnel; practices relating to fees, expenses, and financial transactions; investment fraud; business continuity; and the protection of investor and … Continued

Are Investment Managers Going to Have More KIDs?

Let us be clear…. we’re actually talking about the potential increase in production of point-of-investment disclosure documents for investment managers. The complications and stress of Brexit just got a whole lot more real for many UK- and EU-based investment management companies that are subject to rules requiring production of UCITS KIID (Key-Investor-Information-Document) and PRIIPs KID … Continued

Do You Feel Confident Your Password Hasn’t Been Hacked?

As a cybersecurity consultant, I am often asked if some of the threats we industry practitioners talk about are overstated. Hyped up fear as a sales tactic. The simple answer is no. The fear is not overstated, and the risks all too real – which helps to explain why cyber remains a top priority for … Continued