On January 27, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published observations from its examinations of regulated entities, including funds and investment advisers, to assist those entities in cybersecurity preparedness and operational resiliency. OCIE noted that addressing cybersecurity threats has become increasingly important, and is a key priority in its examinations. With the goal of improving cybersecurity, OCIE discussed the following:

• Governance and Risk Management. OCIE observed organizations that engage senior leadership in the process of establishing and overseeing cybersecurity and resiliency programs. OCIE further observed programs that include a risk assessment and written policies and procedures designed to address identified risks. OCIE noted programs that ensure effective implementation of policies and procedures, including periodic updates to address gaps or weaknesses.
• Access Rights and Controls. OCIE discussed the importance of understanding the location of data and the needs of employees to access that data. OCIE further noted systems that effectively restrict access to data to authorized users and monitor for unauthorized users. OCIE observed organizations that periodically review users’ access rights.
• Data Loss Prevention. OCIE noted that organizations may prevent the loss of sensitive data by scanning systems for vulnerabilities, monitoring network traffic to detect threats and prevent harmful or unauthorized traffic, patching software vulnerabilities, encrypting data and securing current and legacy hardware.
• Mobile Security. OCIE observed organizations that have established and implemented specific policies and procedures to address the unique vulnerabilities posed by mobile devices. OCIE also noted organizations that have implemented mobile device-specific security measures and provide training on mobile security.
• Incident Response and Resiliency. OCIE observed organizations that have developed risk-based incident response plans for cyberattacks, which include procedures for addressing applicable reporting requirements, designating staff responsible for executing specific aspects of the plan and testing and assessing such plans. OCIE further noted organizations that have created a strategy for operational resiliency by identifying and prioritizing core business services, considering any effects that a failure may have and adequately backing up data.
• Vendor Management. OCIE observed organizations that have established due diligence procedures for ensuring that third-party vendors meet security requirements. OCIE noted organizations that ensure all parties have the same understanding of how contract terms address risk and security and monitor each third-party vendor’s compliance with security requirements.
• Training and Awareness. OCIE observed organizations that train staff to implement policies and procedures and periodically assess the effectiveness of such trainings.

OCIE concluded by noting the availability of additional resources for addressing cybersecurity threats, including, among others, the SEC’s Cybersecurity Spotlight page and the Cyber Infrastructure Security Agency’s periodic cybersecurity alerts.

OCIE’s Cybersecurity and Resiliency Observations are available here.