SEC ‘s OCIE Releases Cybersecurity and Resiliency Observations from Examinations

January 28, 2020
Compliance Alert
ACA Aponix

On January 27, the U.S. Securities and Exchange Commission ‘s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) announced the release of its Cybersecurity and Resiliency Observations from examinations of market participants. The publication details practices in cybersecurity and operational resiliency undertaken by SEC member firms that are recommended by OCIE.

In the press release announcing the report, Peter Driscoll, Director of OCIE, said, “Through risk-targeted examinations in all five examination program areas, OCIE has observed a number of practices used to manage and combat cyber risk and to build operational resiliency. We felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cybersecurity practices.”

OCIE Cybersecurity and Resiliency Observation Highlights

OCIE has encapsulated its cybersecurity and resiliency findings from the thousands of examinations it has conducted, and from those recommendations outlined in previous Risk Alerts. Highlights of the recorded observations focus on the following:

Governance and Risk Management

Ensure that senior leadership is engaged with and committed to mitigating cybersecurity risk
Include cybersecurity as a key element in business planning, aligning it with other business processes
Assess current levels of risks, including prioritizing potential vulnerabilities and identifying potential sources of risk
Develop and implement comprehensive written policies and procedures
Test and monitor policies and& procedures, including constant vigilance to developing threats via cyber threat intelligence
Adapt planning as necessary, and communicate changes both internally and externally, to clients, customers, employees, decision makers, and regulators, as needed

Access Rights and Controls

Establish and implement comprehensive controls regarding the storage of data and rights to access that information. Limit access to information based on appropriate roles
Manage access during all phases of employment and separation, reviewing access to information periodically, and protecting access via strong password requirements and multi-factor authentication (MFA)
Monitor access for threatening and suspicious attempts, as well as for required changes necessitated by hardware and software issues

Data Loss Prevention

Utilize tools and processes to ensure that sensitive data, including personally identifiable information (PII), is not exfiltrated, lost, or misused
Scan assets such as software code, databases, workstations, and more for vulnerabilities, and take preventive measures
Monitor and control all incoming and outgoing network traffic, using firewalls, intrusion detection, email security, restrictions on external devices such as USB thumb drives, etc.
Capture the movement of data, and especially suspicious activity, via intrusion detection systems, logging systems, etc.
Ensure that all operating system and anti-malware software updates are applied, using a patch management system
Identify all components and locations of hardware and software assets
Encrypt data at rest (e.g., on hard drives, in databases) and in transit (e.g., during email transmission, in web form transmissions)
Decommission and dispose of hardware and software assets in a secure fashion.
Extend monitoring efforts to insider threats, ensuring detection and prevention of data loss implemented from within the organization

Mobile Security

Establish policies and procedures related to the security of mobile devices
Use mobile device management (MDM) software and extend its use to personal devices when used for company business
Enforce security measures such as MFA, the ability to remotely clear data from devices, etc.
Train staff on proper security for mobile devices

Incident Response and Resiliency

Enhance company capabilities regarding the ability to react appropriately to security events (incident response) and ensuring the speedy resumption of company functioning following events (resiliency)
Develop and maintain appropriate plans that include specified notification and response patterns, chains of responsibility, communication paths, and more
Address reporting requirements in planning, including clear and detailed instructions for appropriate legal, enforcement, and regulatory reporting
Maintain inventories of key business systems and operations, including maps of system process and services
Assess and determine risk tolerances
Ensure methods of resilient functioning such as physical separation of backup data, offline backups, and cybersecurity insurance
Test and assess incident response and resiliency plans, refining them based on test results

Vendor Management

Ensure that cybersecurity is monitored and overseen in relation to work with and practices at third-party service providers
Establish a vendor management program to ensure that safeguards and security programming is implemented
Use due diligence, including questionnaires based on industry standards and security principles
Carefully establish contractual obligations that cover necessary security terms
Monitor and test vendors, maintaining awareness of new developments at third-party service providers
Establish secure procedures for changing vendors, including those that are cloud-based

Training and Awareness

Consistently provide staff with awareness of their roles and responsibilities regarding cybersecurity, including methods of detecting and responding to suspicious events
Build a culture of cybersecurity awareness and readiness, including training methods that engage staff with practical situations and exercises
Ensure awareness, understanding, and acceptance of policies and procedures related to cybersecurity
Continually monitor training efforts, improving them based on results and the current cybersecurity environment

ACA Aponix Guidance

OCIE ‘s Cybersecurity and Resiliency Observations provides an extensive and far-reaching blueprint for SEC-registered firms to both establish and maintain sound cybersecurity policies and procedures. While serving to help firms protect themselves from cyber and operational risk, firms should likewise consider these observations as warnings – the OCIE is in effect is saying these are things they expect to see during their examinations of SEC-registered investment advisers, investment companies, broker-dealers, self-regulatory organizations, clearing agencies, transfer agents, and others.

How We Help

ACA Aponix offers the following services that can help your firm develop and implement a comprehensive cybersecurity program in light of the SEC OCIE ‘s Cybersecurity and Resiliency Observations:

Please& contact us& to learn how we can help your company.

For More Information

If you have any questions, please contact your ACA Aponix consultant or email us at& info@acaaponix.com.

As we begin 2020, here are 10 cybersecurity trends to look for in the coming year.& &

Cloud usage will grow; cloud attacks will be more frequent and harder to identify& &

As more firms use cloud providers for data storage as well as infrastructure purposes, there will be& cloud-related security ramifications.& Cybercriminals are finding it harder to precisely target a firm ‘s resources and are likely to rely on increased frequency of attacks to increase their chances of success. Relatedly, investigations into cloud-related incidents have taken on more complexity, as seen with the recent& Cloudhopper breach.

Ransomware will be more targeted& &

While the number of generalized ransomware attacks has declined over the past several years, the number of& targeted ransomware attacks& has grown and will likely to continue to do so. Attackers are expected to focus their ransomware attacks on companies& that could be more likely to make substantial payments. Additionally, criminals using ransomware are increasingly threatening to publish potentially damaging information online, rather than just scrambling files.&

Connected devices will be at risk&

As the Internet of Things (IoT) continues to grow, so too will the use of these connected devices as a vector for cyber-attacks. Smart TVs, smart watches, smart cars, and smart houses will continue to be targets. And the& increased adoption of 5G& will create an ever-larger network of connected devices to target.&

Artificial intelligence (AI) use for cybersecurity use will grow, and so will blind spots&

Security teams will expand their use of AI for identifying threats. And as suggested in& Forbes, security blind spots in the form of missed threats and false positives will likely be on the& rise as a result of potential bias in AI models. Diversity in data models and security teams will be needed to combat these potential weak points.&

And while AI use is growing in combatting cybercrime, its use is& likewise on the rise by cybercriminals& themselves.& Phishing efforts are being enhanced with machine learning to automate campaigns, improve algorithms, A/B test, and more.& &

Hacktivists will flood companies with privacy regulation requests as a means of attack&

In a twist on the distributed denial-of-service (DDoS) tactic, criminals will likely use newly enforced privacy regulations as an attack vector. According to& IBM security,& hacktivists and crooks may flood companies with individual rights requests at a scale that drains firms of time, resources, and computing power.&

Credential stuffing will grow& &

As we saw with the& hack attack on the new Disney+ streaming service, in which thousands of account& credentials were hacked and made available for sale, credential stuffing is likely to increase in 2020 as well. Credential “stuffing” is the practice in which attackers cycle though lists of existing stolen credentials from other services, in hopes that accounts on additional services will use the same ones. If stronger password management techniques are not implemented, the dark web will be stuffed with logins for sale.&

Mobile devices will be targeted more&

The use of mobile phones as an attack vector is& on the rise. Not only& that, but& based on the multitude of mobile zero-day vulnerabilities over the past year, the complexity of the attacks is also increasing. With a phone in nearly every pocket, cybercriminals know there ‘s a wallet ‘s worth of tempting data and cash nearby. The good news is that in reaction to a high level of& SIM swapping attacks& in the past year, firms are moving away from text message-based authentication codes in favor of mobile apps specific for multi-factor authentication.&

The end of Windows 7 support will cause security problems&

The imminent sunset of support for Microsoft (insert REG) Windows 7 will likely lead to increased vulnerabilities. As happened with Windows XP, attackers may& leverage& the lack of OS patching to& gain entry into& systems still using the& old operating system software. And of course, Windows will always be a target, and you should ensure your systems are& always using the latest patches.& &

More nation-states will pursue cybercrime&

State-sponsored cybercrime is a persistent and growing threat.& The “Big Four”& — Russia, China, Iran, and North Korea – continue to be a concern and& trends have indicated& that India, Pakistan, Vietnam,& United Arab Emirates, Saudi Arabia, Qatar, Brazil, Romania, and others are joining in, using hacking tools and ransomware against adversaries. We should& expect an increase in destructive malware attacks& in& North America and Europe.&

Companies will improve their cybersecurity&

Per& Kaspersky, businesses and organizations are seeing a rise in their levels of security, both in terms of infrastructure hardening and general preparedness. While bad news for cybercriminals, that news is certainly good for the rest of us, and something to look forward to in the year ahead.&

How ACA Can Help&

ACA& Aponix& offers the following solutions that can help protect your company from cybersecurity risk:&

For more information, contact& info@acaaponix.com& or your ACA consultant.&