OCIE Cybersecurity and Resiliency Observations

  • Source: sec.gov

Treliant Takeaway:

The SEC continues to emphasize the importance of Cybersecurity and Resiliency, and in 2020 has directed its supervisory units and managers to focus on several key risk areas when developing their 2020 examination plans.

Treliant’s Cybersecurity & Privacy team knows how to develop and implement sustainable Cybersecurity and Resiliency programs that stand up to regulatory scrutiny.  Our professionals are former Chief Information Security Officers (“CISO”) and Internal Auditors.  We understand how to make these programs work and the issues where examiners will focus.

Article Highlights:

The SEC has focused heavily on cybersecurity for many years and the Office of Compliance Inspections and Examinations (“OCIE”) has highlighted information security as a key risk for market participants, and has included it as a key element in its examination program.

Through thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants, OCIE has observed various industry practices and approaches to managing and combating cybersecurity risk and the maintenance and enhancement of operational resiliency.

Within the directive pertaining to Information Security and Cybersecurity compliance, the OCC tells its examiners to focus on seven key risk areas:

Key Risk Areas Description
1.    Governance and risk management Senior level engagement and the risk assessment process
2.    Access rights and controls User access management
3.    Data loss prevention Detective security to minimize data leakage
4.    Mobile security Managing the use of mobile devices
5.    Incident response and resiliency Incident identification, response and recovery
6.    Vendor management Third party management program
7.    Training and awareness User awareness and effectiveness of training

Among these seven key risk areas, CISOs and their teams need to be ready to demonstrate compliance and be ready for a thorough look at the underlying processes.

Author

Richard Hudson

Richard Hudson is a Senior Manager with Treliant. He has over 25 years of experience in information security, compliance, risk management, business continuity and information technology. He has worked on staff and as a consultant for companies in the financial services, insurance, healthcare, information technology, and asset management sectors. Prior…