The SEC’s Office of Compliance Inspections and Examinations (OCIE) has published a report of cybersecurity best practices. The report advises registrants to assess their cybersecurity practices in seven key areas: governance and risk management, access rights and controls, data loss prevention, mobile security, incident response, vendor management, and training. Citing industry best practices, OCIE advises firms to conduct risk assessments; adopt, implement and test policies and procedures; restrict access; inventory the location of data; conduct vulnerability scanning; implement patches; encrypt networks; create an incident response plan; and supervising vendors. OCIE recommends following statements from the Cyber Infrastructure Security Agency as well as the National Institute of Standards and Technology. OCIE identifies cybersecurity as “a key risk for security market participants” and a “key priority” for exams.
Cybersecurity transcends merely hiring a random IT firm to conduct a penetration test. OCIE requires an entire firm governance and compliance infrastructure. Our firm, in conjunction with Align Cybersecurity, includes a cybersecurity assessment and remediation plan in our compliance outsourcing service.