At the end of January, the U.S. Securities and Exchange’s Office of Compliance Inspections and Examinations (OCIE) released its “Observations on Cybersecurity and Resiliency Practices” (Observations). While any guidance on cybersecurity from the SEC — one of the most active federal regulators of cybersecurity and data privacy disclosure and compliance — is welcome, the observations may not surprise those closely following privacy and cyber developments or the examinations and settlements pursued by the SEC and other regulators, such as the Federal Trade Commission.
The Observations serve as a good reminder and road map for leaders in corporate governance, compliance, law departments and technology of the best practices for both prophylactic cybersecurity and responsiveness during and after a breach. As the director of OCIE noted, the Observations are intended to foster and highlight observable best practices: “Through risk-targeted examinations . . . OCIE has observed a number of practices used to manage and combat cyber risk and to build operational resilience.” Companies that employ or adapt these best practices and can answer “yes” to the questions below will likely better weather a cyber-storm. And given the ongoing threat of malicious cyber-activity from across the globe, those cyber-storms are increasingly likely.
View the Cybersecurity: SEC Guidance on Best Practices infographic here.
Governance and Risk Management
- Is the company’s C-suite actively involved in setting and overseeing the strategy of the company’s cybersecurity and resilience programs?
- Is the company’s board regularly briefed and consulted on the strategy of the company’s cybersecurity and resilience programs?
- Has the company developed and conducted a risk assessment of the cyber risks relevant to it? For example, has the company:
- Identified — and prioritized addressing — potential vulnerabilities?
- Implemented policies concerning remote or traveling employees to mitigate cyber vulnerabilities?
- Conducted training to identify and respond to internal and external threats and vulnerabilities?
- Does the company have comprehensive written policies and procedures addressing cybersecurity?
- Does the company regularly test those policies and procedures?
- Does the company have protocols in place to modify written policies and procedures in response to routine testing and monitoring?
Access Rights and Controls
- Does the company have:
- A data map or, at a minimum, know where the “crown jewels” are located?
- An inventory of core business operations and systems?
- Clear policies to limit or restrict data access only to authorized and necessary users?
- Appropriate controls to prevent and monitor unauthorized data/system access?
- Does the company require:
- Use of strong passwords and that those passwords be periodically changed?
- Multifactor authentication on-site or for remote access?
- Does the company revoke system access for former employees and vendors?
- Does the company routinely:
- Review system hardware and software for changes, and implement necessary updates or patches, and investigate anomalies?
- Monitor failed login attempts and account lockouts?
Data Loss Prevention
- Does the company utilize:
- Vulnerability scanning tools on software code, web applications, servers and databases, and workstations — both internally and at third-party service providers?
- Perimeter security to monitor all incoming and outgoing network traffic, such as firewalls?
- Enterprise data loss-prevention solutions that block access to cloud-based email, file sharing and social media platforms?
- Password protection or encryption on removable media?
- Software to identify incoming threats and fraudulent communications that may carry malware?
- Patch management programs?
- Encryption and network segmentation?
- Does the company maintain:
- System logs?
- Hardware and software inventory?
- Does the company engage in insider threat monitoring, such as:
- Programs, procedures and policies to identify suspicious behavior?
- A chain of elevation to senior leadership to address such conduct?
- Penetration testing?
- Phishing exercises?
- Policies to prevent transmission of sensitive data or personally identifiable data outside the company without proper authorizations?
- Does the company properly secure and decommission hardware and software once retired from use?
- Are employees regularly trained on:
- Policies and procedures designed to protect company data and prevent breaches or cyber-incidents?
- Current phishing vulnerabilities and scams?
- Identifying breach indicators, attempts and suspicious activities?
Mobile Security
- Does the company have:
- Policies and procedures for mobile device usage?
- Mobile device management (MDM) applications, which protect company calendars, emails and other data when an employee is utilizing his/her own device pursuant to a “bring your own device” (BYOD) program?
- Does the company train employees on secure use of mobile devices? For example, does the company:
- Prohibit or discourage public Wi-Fi usage?
- Encourage maximization of privacy settings on mobile and social media applications?
- Encourage limitations on geolocation data usage and sharing?
- Raise user awareness of ways in which mobile device usage may make company confidences vulnerable?
- Does the company have policies and procedures in place for reporting mobile device loss and “killing” company applications remotely when a device is lost or breached?
Incident Response and Resiliency
- Does the company have an incident response plan (IRP) that addresses:
- Denial of services attacks?
- Malicious disinformation?
- Ransomware?
- Key employee succession?
- Does the company have a business continuity plan?
- Does the company have a breach communication plan (BCP) that includes:
- A process to escalate decision-making to management in the event of a breach?
- Ways in which to communicate with key stakeholders?
- Assignments of responsibility to key stakeholders and staff?
- Timely notification and reporting to regulators (state, federal and international, as applicable), employees, customers, clients and other impacted data subjects?
- Has the company, including the C-suite, tested the IRP and BCP through a “table top” exercise?
- Concerning core business operations or systems:
- Does the company have a resilience plan in the event any operations or systems are impacted or fail?
- Has the company stress-tested its tolerances and backup systems in the event of failure or inaccessibility?
- Is backup data maintained offline or on a different network?
- Are business continuity and backup systems geographically separate from the main business locations?
Vendor Management
- Does the company audit or conduct due diligence on third-party service providers who have access to company or customer data?
- Does the company have:
- Vendor management programs to ensure vendors meet security requirements?
- Procedures for terminating or replacing vendors?
- Has the company reviewed the contract terms with third-party service providers concerning data risk, responsibilities, access, transfer, sale, reporting and liability?
Conclusion
While even the most prepared company may not be able to thwart a cyber-attack or full-blown breach, the practices outlined above may better position a company to respond to such incidents. The SEC’s Observations conclude: “We believe that assessing your level of preparedness and implementing some or all of the [enumerated] measures will make your organization more secure.”
As cyber-threats rapidly evolve and expand, so too should the prophylactic and responsive measures companies take to combat them. Likewise, best practices continue to evolve, and these Observations, and other regulator guidance, help companies assess their procedures and policies and fine-tune them to better address the threats of the day.