#cyberfraud | #cybercriminals | The SEC Provides Guidance On Well-Known And Emerging Best Practices

United States:

Cybersecurity: The SEC Provides Guidance On Well-Known And Emerging Best Practices

To print this article, all you need is to be registered or login on Mondaq.com.

At the end of January, the U.S. Securities and Exchange’s
Office of Compliance Inspections and Examinations (OCIE) released
its “Observations on Cybersecurity and Resiliency
” (Observations). While any guidance on
cybersecurity from the SEC — one of the most active federal
regulators of cybersecurity and data privacy disclosure and
compliance — is welcome, the observations may not surprise
those closely following privacy and cyber developments or the
examinations and settlements pursued by the SEC and other
regulators, such as the Federal Trade Commission.

The Observations serve as a good reminder and road map for
leaders in corporate governance, compliance, law departments and
technology of the best practices for both prophylactic
cybersecurity and responsiveness during and after a breach. As the director of OCIE noted, the Observations
are intended to foster and highlight observable best practices:
“Through risk-targeted examinations . . . OCIE has observed a
number of practices used to manage and combat cyber risk and to
build operational resilience.” Companies that employ or adapt
these best practices and can answer “yes” to the
questions below will likely better weather a cyber-storm. And given
the ongoing threat of malicious cyber-activity from across the
globe, those cyber-storms are increasingly likely.

Governance and Risk Management

  • Is the company’s C-suite
    actively involved in setting and overseeing the strategy of the
    company’s cybersecurity and resilience programs?

  • Is the company’s board
    regularly briefed and consulted on the strategy of the
    company’s cybersecurity and resilience programs?

  • Has the company developed and
    conducted a risk assessment of the cyber risks relevant to it? For
    example, has the company:

    • Identified — and prioritized
      addressing — potential vulnerabilities?

    • Implemented policies concerning
      remote or traveling employees to mitigate cyber

    • Conducted training to identify and
      respond to internal and external threats and vulnerabilities?

  • Does the company have comprehensive
    written policies and procedures addressing cybersecurity?

    • Does the company regularly test those
      policies and procedures?

    • Does the company have protocols in
      place to modify written policies and procedures in response to
      routine testing and monitoring?

Access Rights and Controls

  • Does the company have:

    • A data map or, at a minimum, know
      where the “crown jewels” are located?

    • An inventory of core business
      operations and systems?

    • Clear policies to limit or restrict
      data access only to authorized and necessary users?

    • Appropriate controls to prevent and
      monitor unauthorized data/system access?

  • Does the company require:

    • Use of strong passwords and that
      those passwords be periodically changed?

    • Multifactor authentication on-site or
      for remote access?

  • Does the company revoke system access
    for former employees and vendors?

  • Does the company routinely:

    • Review system hardware and software
      for changes, and implement necessary updates or patches, and
      investigate anomalies?

    • Monitor failed login attempts and
      account lockouts?

Data Loss Prevention

  • Does the company utilize:

    • Vulnerability scanning tools on
      software code, web applications, servers and databases, and
      workstations — both internally and at third-party service

    • Perimeter security to monitor all
      incoming and outgoing network traffic, such as firewalls?

    • Enterprise data loss-prevention
      solutions that block access to cloud-based email, file sharing and
      social media platforms?

    • Password protection or encryption on
      removable media?

    • Software to identify incoming threats
      and fraudulent communications that may carry malware?

    • Patch management programs?

    • Encryption and network

  • Does the company maintain:

    • System logs?

    • Hardware and software inventory?

  • Does the company engage in insider
    threat monitoring, such as:

    • Programs, procedures and policies to
      identify suspicious behavior?

    • A chain of elevation to senior
      leadership to address such conduct?

    • Penetration testing?

    • Phishing exercises?

    • Policies to prevent transmission of
      sensitive data or personally identifiable data outside the company
      without proper authorizations?

  • Does the company properly secure and
    decommission hardware and software once retired from use?

  • Are employees regularly trained on:

    • Policies and procedures designed to
      protect company data and prevent breaches or cyber-incidents?

    • Current phishing vulnerabilities and

    • Identifying breach indicators,
      attempts and suspicious activities?

Mobile Security

  • Does the company have:

    • Policies and procedures for mobile
      device usage?

    • Mobile device management (MDM)
      applications, which protect company calendars, emails and other
      data when an employee is utilizing his/her own device pursuant to a
      “bring your own device” (BYOD) program?

  • Does the company train employees on
    secure use of mobile devices? For example, does the company:

    • Prohibit or discourage public Wi-Fi

    • Encourage maximization of privacy
      settings on mobile and social media applications?

    • Encourage limitations on geolocation
      data usage and sharing?

    • Raise user awareness of ways in which
      mobile device usage may make company confidences vulnerable?

  • Does the company have policies and
    procedures in place for reporting mobile device loss and
    “killing” company applications remotely when a device
    is lost or breached?

Incident Response and Resiliency

  • Does the company have an incident
    response plan (IRP) that addresses:

    • Denial of services attacks?

    • Malicious disinformation?

    • Ransomware?

    • Key employee succession?

  • Does the company have a business
    continuity plan?

  • Does the company have a breach
    communication plan (BCP) that includes:

    • A process to escalate decision-making
      to management in the event of a breach?

    • Ways in which to communicate with key

    • Assignments of responsibility to key
      stakeholders and staff?

    • Timely notification and reporting to
      regulators (state, federal and international, as applicable),
      employees, customers, clients and other impacted data

  • Has the company, including the
    C-suite, tested the IRP and BCP through a “table top”

  • Concerning core business operations
    or systems:

    • Does the company have a resilience
      plan in the event any operations or systems are impacted or

    • Has the company stress-tested its
      tolerances and backup systems in the event of failure or

    • Is backup data maintained offline or
      on a different network?

  • Are business continuity and backup
    systems geographically separate from the main business

Vendor Management

  • Does the company audit or conduct due
    diligence on third-party service providers who have access to
    company or customer data?

  • Does the company have:

    • Vendor management programs to ensure
      vendors meet security requirements?

    • Procedures for terminating or
      replacing vendors?

  • Has the company reviewed the contract
    terms with third-party service providers concerning data risk,
    responsibilities, access, transfer, sale, reporting and


While even the most prepared company may not be able to thwart a
cyber-attack or full-blown breach, the practices outlined above may
better position a company to respond to such incidents. The
SEC’s Observations conclude: “We believe that assessing
your level of preparedness and implementing some or all of the
[enumerated] measures will make your organization more

As cyber-threats rapidly evolve and expand, so too should the
prophylactic and responsive measures companies take to combat them.
Likewise, best practices continue to evolve, and these
Observations, and other regulator guidance, help companies assess
their procedures and policies and fine-tune them to better address
the threats of the day.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from United States

FinTech Comparative Guide

J. Sagar Associates

FinTech Comparative Guide for the jurisdiction of India, check out our comparative guides section to compare across multiple countries

IRS Issues New Guidance For Virtual Currency Donations

Proskauer Rose LLP

The U.S. Internal Revenue Service (IRS) quietly added two new questions and answers regarding virtual currency donations to its answers to Frequently Asked Questions on Virtual Currency Transactions

FinTech Comparative Guide

ONC Lawyers

FinTech Comparative Guide for the jurisdiction of Hong Kong, check out our comparative guides section to compare across multiple countries

FinTech Comparative Guide

Hogan Lovells, Mexico

FinTech Comparative Guide for the jurisdiction of Mexico, check out our comparative guides section to compare across multiple countries

Source link

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App



[spreaker type=player resource="show_id=4560538" width="100%" height="550px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]
 [spreaker type=player resource="show_id=4569966" width="100%" height="350px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]


National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.