OCIE Report Highlights Top Industry Practices on Cyber Oversight

The SEC’s Office of Compliance Inspections and Examinations issued examination observations related to cybersecurity to help market participants consider how to enhance their cybersecurity preparedness and operational resiliency. OCIE said thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants have highlighted practices in the areas of governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. OCIE’s report can be instructive for boards in several ways, particularly in oversight of third-party vendors. For instance, OCIE highlighted several important practices deployed by organizations in the area of vendor management, some listed below, that can inform an oversight framework.

• Vendor Management Program. Establishing a vendor management program to ensure vendors meet security requirements and that appropriate safeguards are implemented. Leveraging questionnaires based on reviews of industry standards (e.g., SOC 2, SSAE 18) as well as independent audits. Establishing procedures for terminating or replacing vendors, including cloud-based service providers.
• Understanding Vendor Relationships. Understanding all contract terms including rights, responsibilities, expectations, and other specific terms to ensure that all parties have the same understanding of how risk and security is addressed. Understanding and managing the risks related to vendor outsourcing, including vendor use of cloud-based services.
• Vendor Monitoring and Testing. Monitoring the vendor relationship to ensure that the vendor continues to meet security requirements and to be aware of changes to the vendor’s services or personnel.