A short summary of the OCIE's recommendations after reviewing seventy-five financial firms' cybersecurity programs.
In 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) looked at seventy-five financial firms to get an update on their cybersecurity preparedness. While OCIE found improvements since its 2014 round of examinations, it reported that firms could still do better. Their findings are recommended reading for anyone wanting to benchmark or toughen up their cybersecurity measures. The report reveals what most firms are doing – but most importantly, it also highlights best practice at firms OCIE considers “robust”.
Here’s a quick summary if you’re pushed for time:
What most firms do:
Periodic risk assessments for critical systems
Penetration tests and vulnerability scans on critical systems
Tools to prevent, detect and monitor the loss of personally identifiable data
Maintenance processes to address vulnerabilities
Cybersecurity organization charts
Customer/shareholder authority to transfer funds to third-party accounts
Vendor risk assessments
Extra measures that “robust” firms take:
Inventory of data, information and vendors, including risk classification and vulnerabilities
Detailed cybersecurity-related instructions, e.g. for monitoring and access rights
Prescriptive schedules and processes for testing data integrity and vulnerability
Established and enforced controls to access data and systems
Mandatory employee training, from onboarding onwards
Senior management engaged to vet and approve policies and procedures
Want to read the full findings? Here’s the full six page OCIE report.