What Does OCIE Look for When Examining Cybersecurity Practices?

January 31, 2020

What Does OCIE Look for When Examining Cybersecurity Practices?

WHAT HAPPENED?

In recent years, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission made cybersecurity a top priority when examining all types of firms. As the use of digital technology becomes more essential to daily business practices, so too does the need to protect data and information from vulnerabilities.

Earlier this week, the Commission published “OCIE Cybersecurity and Resiliency Observations,” which outlines effective cybersecurity practices utilized by recently examined firms. The summary explores seven key areas of interest for OCIE:

1. Governance and risk management: OCIE noted that successful cybersecurity programs include the use of risk assessments, written policies and procedures, and effective adoption of those policies.
2. Access rights and controls: The Commission observed that firms who understand, restrict, and control data access greatly decrease network vulnerabilities and risks.
3. Data Loss Prevention: Ensuring sensitive information is protected through the use of vulnerability scanning, network segmentation and encryption, and monitoring insider threats, among other measures, was found to be essential to successful cybersecurity practices.
4. Mobile Security: Mobile devices are often a peak point of vulnerability; OCIE recommends implementing mobile device policies and procedures, mobile device management, and comprehensive employee training to minimize risks in this area.
5. Incident Response and Resiliency: A strong cybersecurity program includes development and maintenance of an incident response program to ensure an organization can safely recover from an adverse event.
6. Vendor Management: Understanding and monitoring vendor security practices also contributes to comprehensive data security. Conducting vendor due diligence, assessing vendor relationships, and testing security practices are all part of the vendor management process.
7. Training and Awareness: Policies and procedures are less effective if employees do not understand how to implement them. Ongoing and thorough employee training is key in protecting networks from system hacks, malware, and phishing.

WHAT DOES THIS MEAN FOR ME?

The Commission’s focus on cybersecurity will continue to expand for the foreseeable future. With that, examination practices are likely to emphasize the importance of maintaining and implementing proper cybersecurity policies and procedures, vendor management practices, and employee training.

Fairview^® is here to answer questions regarding OCIE’s recent publication, cybersecurity best practices, examination practices, and regulatory inquiries. Contact us for more information about designing a comprehensive cybersecurity program for your business.