• LinkedIn
  • Twitter
  • Facebook

What A Good Cybersecurity Program Looks Like

A short summary of the OCIE's recommendations after reviewing seventy-five financial firms' cybersecurity programs.

In 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) looked at seventy-five financial firms to get an update on their cybersecurity preparedness. While OCIE found improvements since its 2014 round of examinations, it reported that firms could still do better. Their findings are recommended reading for anyone wanting to benchmark or toughen up their cybersecurity measures. The report reveals what most firms are doing – but most importantly, it also highlights best practice at firms OCIE considers “robust”.

Here’s a quick summary if you’re pushed for time:

Common Practice

What most firms do:

  • Periodic risk assessments for critical systems

  • Penetration tests and vulnerability scans on critical systems

  • Tools to prevent, detect and monitor the loss of personally identifiable data

  • Maintenance processes to address vulnerabilities

  • Information-protection programs

  • Cybersecurity organization charts

  • Customer/shareholder authority to transfer funds to third-party accounts

  • Vendor risk assessments

Best Practice

Extra measures that “robust” firms take:

  • Inventory of data, information and vendors, including risk classification and vulnerabilities

  • Detailed cybersecurity-related instructions, e.g. for monitoring and access rights

  • Prescriptive schedules and processes for testing data integrity and vulnerability

  • Established and enforced controls to access data and systems

  • Mandatory employee training, from onboarding onwards

  • Senior management engaged to vet and approve policies and procedures

Want to read the full findings? Here’s the full six page OCIE report.