The US Securities and Exchange Commission (SEC) has published a 10-page document detailing cybersecurity practices observed to be in use in the financial industry.
The observations were gathered by the SEC's Office of Compliance Inspections (OCIE) and are based on thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges, and other SEC registrants.
OCIE issued the examination observations yesterday on the SEC website with the hope of providing firms with guidelines for how to strengthen their cybersecurity.
The observations highlight certain approaches taken by market participants in the areas of governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. They also examine how companies have responded with resiliency in the wake of a cybersecurity incident.
While acknowledging that there is no one-size-fits-all approach when it comes to cybersecurity, OCIE recommended establishing an incident response plan and contacting local authorities or the Federal Bureau of Investigation (FBI) if an attack or compromise is discovered or suspected.
Training employees on how to detect threats was advised, along with implementing a mobile device management solution for the workplace that covered all devices used by employees under a "bring your own device" policy.
"Through risk-targeted examinations in all five examination program areas, OCIE has observed a number of practices used to manage and combat cyber risk and to build operational resiliency," said Peter Driscoll, director of OCIE.
"We felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cybersecurity practices."
To prevent data loss, OCIE recommended establishing a patch management program covering all software and hardware and verifying that the decommissioning and disposal of any hardware and software does not create system vulnerabilities.
"Data systems are critical to the functioning of our markets, and cybersecurity and resiliency are at the core of OCIE’s inspection efforts," said SEC chairman Jay Clayton.
"I commend OCIE for compiling and sharing these observations with the industry and the public and encourage market participants to incorporate this information into their cybersecurity assessments."