The US Security and Exchange Commission (SEC) has released its guidelines for the financial industry to keep the integrity of its cybersecurity policies after making a series of observations of the industry operating online.
According to reporting from Infosecurity Magazine’s Sarah Coble, “the observations were gathered by the SEC’s Office of Compliance Inspections (OCIE) and are based on thousands of examinations of broker-dealers, investment advisories, clearing agencies, national securities exchanges and other SEC registrants.”
The Office of Compliance Inspections has made its findings available, and takes a no-holds-barred approach to the current threat. “Cybersecurity threats come from many sources,” authors note, “and do not discriminate across the spectrum of securities and financial market participants. The seriousness of the threats and the potential consequences to investors, issuers, and other securities market participants, and the financial markets and the economy more generally, are significant and increasing.”
Peter Driscoll, director of the OCIE said that “Through risk-targeted examinations in all five examination program areas, OCIE has observed a number of practices used to manage and combat cyber risk and to build operational resiliency.”
“We felt it was critical to share these observations in order to allow organisations the opportunity to reflect on their own cybersecurity practices,” he said.
The SEC made it clear that organisations with senior-level engagement were better positioned than others in this context, stating that “devoting appropriate board and senior leadership attention to setting the strategy of and overseeing the organisation’s cybersecurity and resiliency programs,” was an essential observation. The same applies to risk assessment, which should consider things like the “business model, as part of defining a risk assessment methodology, and working to identify and prioritize potential vulnerabilities.”
Policies and procedures were another critical observation, with the authors noting that it was imperative to “adopt and implement comprehensive written policies and procedures addressing the areas discussed below and identified risks.” The same too applied to testing and monitoring these policies for their effectiveness, urging organisations to begin “establishing comprehensive testing and monitoring to validate the effectiveness of cybersecurity policies and procedures on a regular and frequent basis.”
SEC Chairman, Jay Clayton stated that “data systems are critical to the functioning of our markets, and cybersecurity and resiliency are at the core of OCIE’s inspection efforts.”
“I commend OCIE for compiling and sharing these observations with the industry and the public to encourage market participants to incorporate this information into their cybersecurity assessments,” he concluded.