The Securities and Exchange Commission Commission’s Office of Compliance Inspections and Examinations issued examination observations related to cybersecurity and operational resiliency practices taken by SEC registrants.
This compilation of observations is based on OCIE’s observations of broker-dealer, investment advisers, clearing agencies, national securities exchanges and other firms that OCIE has taken a look at. It’s not clear if these observations are from cyber sweeps or the full body of exams.
But it doesn’t matter. The report is full of good things and acts as a roadmap for good practices.
If you noted that the types of firms covered has a lot of variety, you are correct. The Report acknowledges that there is no “one-size fits all” approach to cybersecurity.
[A]ll of these practices may not be appropriate for all organizations, we are providing these observations to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency.
The report is very concise so I’m not going to list all of the items. Matt Kelly highlights a few of his favorites on cybersecurity. I think the report can be used as a roadmap to review your firm’s cybersecurity.
The SEC is taking things a step further and talking about resiliency. It’s ridiculous to think that any firm can make itself immune to an attack or failure.
[If] an incident were to occur, how quickly can the organization recover and again safely serve clients?
You need a plan. You need an inventory of your services and systems. You need to know how to substitute a system so that you can still deliver services to your clients.
Sources:
