On January 27, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued its observations from the most recent cybersecurity sweep examinations. These exams focused on operational resilience practices in the following areas:
- Governance and risk management
- Access rights and controls
- Data loss prevention
- Mobile security
- Incident response and resiliency
- Vendor management
- Training and awareness
The observations highlight specific examples of controls that organizations have taken to potentially safeguard against threats and respond in the event of an incident.
Peter Driscoll, Director of OCIE, summarized the SEC’s cybersecurity priority and the latest release by stating: “Through risk-targeted examinations in all five examination program areas, OCIE has observed a number of practices used to manage and combat cyber risk and to build operational resiliency. We felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cybersecurity practices.”
This series of exams launched in 2014 with an initial assessment of what market participants were doing with respect to cybersecurity within their firms. Since then, OCIE has issued its observations, enabling other financial firms to review and update their cybersecurity programs along the way.
As with the exam program generally, OCIE’s cybersecurity exams are risk-based and intended to promote compliance with U.S. securities laws, prevent fraud, monitor risk and inform SEC policy. Although there are currently no rules requiring firms to adopt cybersecurity programs, Greyline recommends that firms revisit the series of SEC releases and contact us with their questions.
Stay tuned for our takeaways on the latest release.
