In January, the Securities and Exchange Commission (SEC) released its most substantial cybersecurity guidance to date. The report, “Cybersecurity and Resiliency Observations,” was the result of examination findings and research from the last five years, much of which was led by the commission’s Office of Compliance Inspections and Examinations (OCIE).
This is the first comprehensive guidance we’ve seen from the SEC’s cyber unit since it was established several years ago. In many ways, it reads as an examination pamphlet—outlining the essential information security practices and programs a financial services institution will need to have in place to stand up against a government raid, inquiry or investigation.
To that point, SEC Chairman Jay Clayton said in a statement, "Data systems are critical to the functioning of our markets and cybersecurity and resiliency are at the core of OCIE's inspection efforts. I commend OCIE for compiling and sharing these observations with the industry and the public and encourage market participants to incorporate this information into their cybersecurity assessments.”
Or, more bluntly put, good policies are no longer enough.
While the report is delivered in the context of cyber resiliency, its guidelines are highly focused on best practices in areas including governance, access control, and risk management—many of the same foundational and proactive initiatives our Information Governance, Privacy & Security practice advises clients to implement.
The OCIE’s summary reiterates key areas that have been widely discussed across industries—such as board-level involvement and incident response planning—and offers additional guidance and expectations around them. Beyond those, the following practices, which have long been central pillars of sound information governance, were extensively and notably featured:
- Governance and risk assessment
- Access management
- Proactive data loss prevention
- Mobile security and device management
- Third-party/vendor management
- Training, awareness, and testing
The bar has been markedly raised in terms of SEC expectations around data security, and financial services institutions will need to pivot accordingly. This may include an extensive audit of current programs, pressure testing of those programs, revisions to current policies, training initiatives, and new technology implementations.
Even in light of this SEC guidance, there is not a one-size-fits-all security solution for the banking industry. Every organization requires a custom approach that appropriately addresses its unique compliance, risk, and operational profile. What the industry now has though, is a clear window into the way the SEC views data security, and the regulator’s benchmark for what are considered adequate, compliant cyber resilience measures.
Read my Network Computing article on this topic here.