Search the Site

SEC Tackles Cybersecurity for Financial Services Sector

You’ve probably heard the news: cybersecurity is a big deal these days. And when it comes to protecting sensitive consumer information from cyberattacks, arguably no industry faces a bigger burden of responsibility than financial services. The SEC’s Office of Compliance Inspections and Examinations (OCIE) went so far as to list information security for investment firms among its top enforcement priorities for 2020.

Based on audits of financial services companies, the SEC published a report last month on the OCIE’s observations on sound information security and “the maintenance and enhancement of operational resiliency.” It appears to be part of a larger push by government entities like the National Security Agency to encourage companies across the board to beef up their cybersecurity programs.

OCIE’s advice for financial services firms covers many aspects of information security, including data loss, governance, mobile devices and vendor management.

Governance and risk management

As would be expected, the OCIE puts the onus on executives to make cybersecurity a priority inside their companies. “Effective cybersecurity programs start with the right tone at the top, with senior leaders who are committed to improving their organization’s cyber posture through working with others to understand, prioritize, communicate, and mitigate cybersecurity risks,” the report states.

The report includes three specific elements of security programs that the OCIE deemed to be effective:

  • A cybersecurity risk assessment;
  • Written policies and procedures addressing those risks; and
  • Implementation and enforcement of those policies and procedures.

The OCIE also says companies are instituting testing and monitoring for their protocols, along with ways to respond promptly to the results.

Data loss prevention

The report details a series of strategies for keeping data from being lost or misused. For example, companies can perform routine reviews of things like software code and web applications to look for vulnerabilities. Additionally, the OCIE approvingly notes that some companies take steps to ensure that old hardware and software delete sensitive information.

Vendor management

When it comes to working with outside parties, the OCIE says some firms are establishing specific security requirements and safeguards to be applied in vetting vendors. There are also risks associated with vendor outsourcing that should be considered, such as the use of cloud-based services.

Mobile security

Given the growth of mobile devices and applications, it comes as little surprise that companies are developing strategies to counteract their specific vulnerabilities. As an example, companies are using “mobile device management” applications for functions like business email and calendars. Companies are also training employees on effective security practices for mobile devices.

Other aspects of information security covered in the report include how to respond to security breaches, training and awareness for employees, and user access rights and controls. All things considered, it’s better for issuers to address these boring topics now, before they become much more exciting – and expensive – in the wake of a preventable cyberattack.

Related Articles

A Farewell to Principles-based Disclosure?

A changing of the guard in the White House means new faces in high-profile places throughout the executive branch. At the Securities and Exchange Comm...

CEO Pay-Ratio Math Gets Messy in 2020

As far as math problems go, it’s not a hard one. You take the CEO’s compensation and divide it by the compensation of the median employee. Presto!...

Intelligize Podcast Examines Future of the CFO

In the debut episode of our “Forward-Looking Statements” podcast, we delved into the lasting impact of COVID-19 on the work environment. This mont...