MARK YOUR CALENDAR :
HCBA ’ s Annual Diversity Networking Social is on Feb . 10 , 2018 , at the Chester Ferguson Law Center .
FindingS And BEST PRACTiCES FROM SEC On CREATing An EFFECTivE CYBERSECuRiTY PROgRAM
Securities Section Chairs : Rob Jamieson – Wiand Guerra King & Matthew Schwartz – Cole Scott Kissane
OCiE has identified several specific elements that firms should adopt when designing an effective cybersecurity program .
© Can Stock Photo / leowolfert
Because cybersecurity s currently a hot topic with regulators , substantial guidance is being generated to outline best practices that firms should follow when designing robust cybersecurity programs . The SEC ’ s Office of Compliance Inspections and Examinations ( OCIE ) recently provided such guidance in a Risk Alert reporting its recent sweep examination results . See SEC , Observations from Cybersecurity Examinations , Vol . VI , Issue 5 ( Aug . 7 , 2017 ).
While the industry awaits definitive rules surrounding cybersecurity , the SEC makes a number of resources available to provide firms guidance when implementing and managing cybersecurity programs . This guidance was created in part from OCIE ’ s 2014 Cybersecurity Initiative and examination findings of over 50 firms ’ cybersecurity practices . See SEC OCIE , Cybersecurity Initiative , Vol . IV , Issue 2 ( Apr . 15 ,
2014 ); SEC OCIE , Cybersecurity Examination Sweep Summary , Vol . IV , Issue 4 ( Feb . 3 , 2015 ).
Cybersecurity Procedures Are Improving
In 2015 , OCIE ’ s examinations focused on governance and risk assessment , access rights and controls , data loss prevention , vendor management , training , and incident response . The results of those examinations , which were recently released , revealed that firms have generally increased their overall cybersecurity preparedness .
In fact , the results show that nearly every firm examined maintained some form of cybersecurity policies and procedures . The majority of firms also conducted periodic risk assessments and penetration tests , and used systems to prevent or detect data breaches .
The cybersecurity programs that firms adopted have several similarities . OCIE found firms regularly addressed business continuity planning and privacy concerns , and nearly all firms developed response plans to cover data breaches . Firms have also begun to clearly identify cyber - security roles and responsibilities for associated persons .
Improving Cybersecurity Procedures
In addition to providing the results of its examinations , OCIE has identified several specific elements that firms should adopt when designing an effective cybersecurity program :
• maintain an inventory of data , information , and vendors ;
• create detailed cybersecurityrelated instructions in policies ;
• maintain schedules and processes for testing data integrity and vulnerability ;
• enforce data access controls ;
• conduct employee training ; and
• obtain senior management support and approval .
Continued on page 51
MARK YOUR CALENDAR :
HCBA ’ s Annual Diversity Networking Social is on Feb . 10 , 2018 , at the Chester Ferguson Law Center .
5 0 N O V - D E C 2 0 1 7 | H C B A L A W Y E R