On January 27, 2020, the Office of Compliance Inspections and Examinations (the “OCIE”) published their observations on the areas of cybersecurity and resiliency. The publication, entitled “Cybersecurity and Resiliency Observations” highlights seven areas in which the OCIE has observed companies practice the management of cybersecurity risk and operations resilience. These observations are provided to assist market participants in their consideration of enhancing cybersecurity preparedness and operations resiliency.
Governance and Risk Management
OCIE noted the engagement of board and senior leadership with a company’s cybersecurity and resiliency programs can be a key element to an effective program. OCIE observed that companies develop and conduct risk assessments to identify, manage and mitigate cybersecurity risks to the company. Companies adopt and implement policies and procedures to address these risks, communicate those policies and procedures, adapt to relevant changes and use testing and monitoring to validate the effectiveness of their procedures.
Access Rights and Controls
Access rights and controls are used to determine which users should be permitted access to which systems within an organization based on job responsibilities. Developing an understanding of access needs as well as managing access once the appropriate level of user access has been determined are two strategies observed by OCIE. Monitoring user access and developing procedures for issues such as failed login attempts, requests for usernames and passwords by customers, reviewing hardware and software for changes and then ensuring that any software or hardware changes that are made are approved are all further observations by OCIE.
Data Loss Prevention
Practices around data loss prevention are implemented to ensure sensitive data is not lost or accessed by an unauthorized user. OCIE observed organizations use vulnerability scanning to routinely check for susceptibilities in the system of the company as well as any applicable third-party providers. Companies also use perimeter security by implementing systems that can inspect and monitor all incoming and outgoing network traffic. Detective security used to detect threats on endpoints, patch management, inventory hardware and software maintenance, encryption and network segmentation and insider threat monitoring are also commonly observed safeguards. The securing of legacy systems and equipment, involving decommissioning and disposing of hardware and software to ensure the removal of sensitive information is another component of data loss prevention.
Mobile Security
OCIE noted mobile devices and applications may create cybersecurity vulnerabilities. Security measures observed to combat this vulnerability include: establishing policies and procedures for the use of mobile devices and applications, training employees in alignment with these policies, managing the use of mobile devices through a mobile device management application and the implementation of security measures such as requiring the use of multi-factor authentication for all users and ensuring the ability to remotely clear data in the case of a lost device.
Incident Response and Resiliency
OCIE observed several elements that are common to those organization that have an incident response plan. Developing a risk-assessed response plan, assigning staff to execute that plan and testing and assessing the plan before a threat are three elements. Additionally, applicable reporting requirements for both governmental authorities and customers for cyber incidents were considered when making the plan. Maintaining an inventory of core business operations and systems as well as assessing risks and prioritizing business operations are strategies that OCIE has observed to address operations resiliency and would enhance a company’s risk tolerance.
Vendor Management
OCIE noted four main areas under the category of vendor management that should be evaluated in the context of cybersecurity. These include: conducting due diligence for vendor selection, monitoring and overseeing vendors and contract terms, assessing the way vendor relationships are considered and assessing how vendors protect accessible client information. Companies were observed to establish a vendor management program through which the company can ensure vendors are meeting certain security requirements as well as formalize procedures for terminating a relationship. Additionally, companies evaluate and understand the specific roles of the company and the vendor as they relate to security. Companies continue to evaluate the vendor to ensure that appropriate standards are adhered to.
Training and Awareness
OCIE observed companies training staff to implement the policies surrounding cybersecurity and ensuring staff are aware of the relevant policies and procedures. OCIE noted including examples during training helps employees become better equipped to identify threats. Even after employees have gone through training, OCIE noted companies continuously evaluate the training for effectiveness and update the programs as necessary.
If you have any questions, please contact your relationship attorney at Seward & Kissel LLP.