It takes senior leadership pushing initiatives to bring about successful cybersecurity practices within firms and organizations; that is one of the findings of a new report from the Security and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE).
The analysis, which was derived from observations made during OCIE examinations of firms, advisors, clearing agencies and others, also covered access rights, how to prevent the loss of consumer (and firm) data, mobile security, how to effectively respond to data breaches, vendor management, and proper training and awareness procedures.
“Indeed, in an environment in which cyber threat actors are becoming more aggressive and sophisticated—and in some cases are backed by substantial resources including from nation state actors, firms participating in the securities markets, market infrastructure providers and vendors should all appropriately monitor, assess and manage their cybersecurity risk profiles, including their operational resiliency,” the report read.
Cybersecurity is consistently top of mind among advisory firms. For six years in a row, cybersecurity was the top compliance focus among firms in surveys from the Investment Adviser Association and ACA Compliance Group; the latest survey in July indicated that 83% of respondents considered cybersecurity the “hottest” topic in compliance, outpacing advertising (at 28%). In the current regulatory environment, firms are increasingly turning to new tech tools to compile, sort and archive data that needs to be kept, likely increasing the need for firms to develop cybersecurity policies and find tools to adequately protect them.
According to OCIE Director Peter Driscoll, the observations in the report could act as guideposts for firms uncertain as to whether their current cybersecurity measures are sufficient.
“Through risk-targeted examination in all five examination program areas, OCIE has observed a number of practices used to manage and combat cyber risk and to build operational resiliency,” he said. “We felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cybersecurity practices.”
According to the report, firms’ senior leaders need to devote the time and attention to cybersecurity risk management to make needed changes. In addition, successful governance and risk management procedures at firms tended to include a risk assessment on an organization’s cybersecurity risks, written policies that address these risks, and a commitment to implement and enforce those policies. Firms must also be prepared to adapt their procedures as needed, especially given the adaptability of cybersecurity threats and the pace of new threats emerging.
The report also stressed the importance of monitoring and policing who has access to data, stating that proper access controls tended to understand where data was located throughout the organization, restricted access to that data only to authorized users, and had tools in place that could prevent and/or catch attempts at unauthorized entry into systems.