As financial services firms and their vendors have grown increasingly dependent upon digital technologies, cybersecurity risk management has become an indispensable component of operational planning. As a result, cybersecurity has become one of the biggest challenges these financial services organizations face.
This hot button issue has also become a top priority and a critical area of focus for the SEC. As a means of keeping firms informed, the SEC maintains a Cybersecurity Spotlight webpage that provides cybersecurity-related information and guidance to all interested parties.
Cybersecurity is similarly a high priority for the SEC’s Office of Compliance Inspections and Examinations (OCIE). For the past several years, the OCIE has identified information security as a key risk for financial services firms and has incorporated this as a key element in its examination program. Using examinations of broker-dealers, investment advisors, clearing agencies, national securities exchanges, and other SEC registrants, OCIE has released a Cybersecurity and Resiliency Observations report detailing impactful findings uncovered during the examinations. The report serves as a resource for market participants who can use the guide to enhance and improve their cybersecurity preparedness.
Practice Area Review for Financial Services Cybersecurity Preparedness
- Oversight Responsibility and Risk Management
- Obtain senior leadership buy-in by having them set cybersecurity strategy and oversee the financial services organization’s cybersecurity programs
- Perform a risk assessment to identify, analyze, and prioritize cybersecurity risks to the organization
- Create and implement written policies and procedures which address the identified risks
- Establish periodic testing and monitoring to validate the effectiveness of cybersecurity policies and procedures
- Access and Control Rights
- Determine who should have access to systems and data and limit access to sensitive information
- Monitor user access (including failed login attempts and account lockouts)
- Establish a system for proper implementation and one for the approval of changes
- Preventing Data Loss
- Routinely scan software code, workstations, web applications, and endpoints both within the organization and with third-party providers
- Implement systems that control, monitor, and inspect all incoming network traffic
- Capture and retain system logs from systems and applications
- Maintain an inventory of hardware and software assets
- Security for the Mobile Environment
- Establish policies and procedures for the use of mobile devices
- Ensure the ability to remotely clear data and content from a device that belongs to a lost device or former employee
- Incident Response Planning
- Develop a risk-assessed incident response plan for cybersecurity attacks
- Test and assess the incident response plan
- Establish a vendor management program to ensure vendors meet security requirements and that appropriate safeguards are implemented
- Monitor the vendor relationship to ensure that the vendor continues to meet security requirements
- Train staff to implement the organization’s cybersecurity policies and procedures
- Provide cybersecurity training including phishing exercises to train employees in identifying malicious emails
To make sure that your financial services firm remains in compliance, take steps to familiarize yourself with SEC and OCIE guidance, and implement the cybersecurity best practices listed above.