You’ve probably heard the news: cybersecurity is a big deal these days. And when it comes to protecting sensitive consumer information from cyberattacks, arguably no industry faces a bigger burden of responsibility than financial services. The SEC’s Office of Compliance Inspections and Examinations (OCIE) went so far as to list information security for investment firms among its top enforcement priorities for 2020.
Based on audits of financial services companies, the SEC published a report last month on the OCIE’s observations on sound information security and “the maintenance and enhancement of operational resiliency.” It appears to be part of a larger push by government entities like the National Security Agency to encourage companies across the board to beef up their cybersecurity programs.
OCIE’s advice for financial services firms covers many aspects of information security, including data loss, governance, mobile devices and vendor management.
Governance and risk management
As would be expected, the OCIE puts the onus on executives to make cybersecurity a priority inside their companies. “Effective cybersecurity programs start with the right tone at the top, with senior leaders who are committed to improving their organization’s cyber posture through working with others to understand, prioritize, communicate, and mitigate cybersecurity risks,” the report states.
The report includes three specific elements of security programs that the OCIE deemed to be effective:
- A cybersecurity risk assessment;
- Written policies and procedures addressing those risks; and
- Implementation and enforcement of those policies and procedures.
The OCIE also says companies are instituting testing and monitoring for their protocols, along with ways to respond promptly to the results.
Data loss prevention
The report details a series of strategies for keeping data from being lost or misused. For example, companies can perform routine reviews of things like software code and web applications to look for vulnerabilities. Additionally, the OCIE approvingly notes that some companies take steps to ensure that old hardware and software delete sensitive information.
When it comes to working with outside parties, the OCIE says some firms are establishing specific security requirements and safeguards to be applied in vetting vendors. There are also risks associated with vendor outsourcing that should be considered, such as the use of cloud-based services.
Given the growth of mobile devices and applications, it comes as little surprise that companies are developing strategies to counteract their specific vulnerabilities. As an example, companies are using “mobile device management” applications for functions like business email and calendars. Companies are also training employees on effective security practices for mobile devices.
Other aspects of information security covered in the report include how to respond to security breaches, training and awareness for employees, and user access rights and controls. All things considered, it’s better for issuers to address these boring topics now, before they become much more exciting – and expensive – in the wake of a preventable cyberattack.