On January 27, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued various examination observations. These examinations are related to operational resiliency and cybersecurity practices taken by the market participants.
OCIE highlighted various approaches taken by organizations in the area of vendor management, data loss prevention, governance and risk management, mobile security, access rights and controls, training and awareness, as well as incident response and resiliency.
The latest observation focuses on particular examples of operational resiliency and cybersecurity practices and control. These are the measures that organizations have taken aiming to safeguard against various threats and respond when incidents arise. SEC Chairman Jay Clayton said:
“Data systems are critical to the functioning of our markets and cybersecurity and resiliency are at the core of OCIE’s inspection efforts. I commend OCIE for compiling and sharing these observations with the industry and the public.”
Clayton encouraged market participants to incorporate the information into their cybersecurity assessments. OCIE observed several practices used in the management and combating of cyber risk using risk-targeted examinations in each of the five examination program areas. According to Peter Driscoll, Director of OCIE, these practices are also used to build operational resiliency.
OCIE felt it was important to share their findings to enable organizations to have an opportunity to reflect on their in-house cybersecurity practices. OCIE is tasked with examining all SEC-registered investment companies, clearing agencies, investment advisers, transfer agents, self-regulatory organizations, broker-dealers and many others.
It implements its risk-based approach to examinations enabling it to fulfill its mission of enhancing compliance using US securities laws. OCIE also uses the same approach to monitor risk, prevent fraud, and inform SEC policy.
By sharing these observations, the Commission encourages market participants to review their policies, practices and procedures. Assessing preparedness levels and implementing the proposed measures makes an organization more secure. Market participants should also engage in law enforcement and regulators actively in these strategies.