Cybersecurity: What Does A Good Program Look Like?
A short summary of the OCIE's recommendations after reviewing 75 financial firms' cybersecurity programs
In 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) looked at 75 financial firms to get an update on their cybersecurity preparedness.
While OCIE found improvements since its 2014 round of examinations, it reported that firms could still do better. Their findings are recommended reading for anyone wanting to benchmark or toughen up their cybersecurity measures. The report reveals what most firms are doing – but most importantly, it also highlights best practice at firms OCIE considers “robust”.
Here’s a quick summary if you’re pushed for time:
What most firms do
Periodic risk assessments for critical systems
Penetration tests and vulnerability scans on critical systems
Tools to prevent, detect and monitor the loss of personally identifiable data
Maintenance processes to address vulnerabilities
Cybersecurity organization charts
Customer/shareholder authority to transfer funds to third-party accounts
Vendor risk assessments
Extra measures that “robust” firms take
Inventory of data, information and vendors, including risk classification and vulnerabilities
Detailed cybersecurity-related instructions, e.g. for monitoring and access rights
Prescriptive schedules and processes for testing data integrity and vulnerability
Established and enforced controls to access data and systems
Mandatory employee training, from onboarding onwards
Senior management engaged to vet and approve policies and procedures
Want to read the full findings? Here’s the full six page OCIE report.
If you'd like a review of your current cybersecurity program, explore the cybersecurity experts on our platform by creating a free profile with Complect and take advantage of our member discounts to discover firms like Entreda, a full service, automated cybersecurity and compliance policy enforcement platform.