SEC OCIE’s Latest Guidance Updates
As a member of the financial industry, you never stop worrying — even just a little — about the SEC Office of Compliance Inspections and Examinations (OCIE). Their cybersecurity exam sweeps are detailed, intensive, and constantly updating to keep up with changes in the industry.
That’s why it’s so important to keep track of what they’re really looking for. They recently published new guidance – do you know what it includes?
What Are The Latest Guidelines Recommended By SEC OCIE?
Governance and Risk Assessment
A number of key details need to be documented in order to track governance of data and understand potential risks:
- Policies and Procedures for the “protection of customer/client records and information” as well as to “protect against anticipated threats to customer/client information”
- All Board minutes concerning cybersecurity, incident response planning, and actual cybersecurity incidents
- The name of the CISO
- The date of the last cybersecurity risk assessment
- List of penetration testing, with descriptions and frequencies of the tests involved
- A sample log or report
Access Rights and Controls
You need to have a clear overview of who has access to what. For example, you should have a list of the last ten employees to leave during the review period, with documentation as evidence of their last date of employees, and the date their access to the firm’s data was terminated.
No matter what kind of cybersecurity you have in place at the office, it won’t extend to the mobile devices that have access to your data.
This is a critical limitation of your cybersecurity software, and it’s obvious when you think about it – if your firewall is only installed on your work devices, but you let employees use personal devices and home workstations to access business data, then obviously you won’t be totally secure, and you’ll be left open to critical vulnerabilities that will only be more common in the coming years:
- Lost or stolen devices can do major damage to you, leading to compromised data and lost work.
- Unsecured Wi-Fi hotspots and other vulnerabilities allow intruders inside your private network.
- Mobile devices are becoming bigger targets for cybercriminals, who use malware and other methods to attack smartphones and tablets.
That’s why you need a mobile device management (MDM) plan. This type of comprehensive policy dictates how your employees can use their personal devices for work purposes, dictating which security apps should be installed, and what best practices need to be followed.
An effective MDM policy should also instill safe and secure practices for employees that use personal devices for business purposes. Key considerations include:
- Decide when and how mobile devices will be used. Integrated into your internal network, these devices can be used to access, store, transmit, and receive business data. You’ll need to have policies in place to regulate how employees use their devices to interact with sensitive data.
- Consider how mobile device use can pose risks to your data. A risk analysis will help you identify vulnerabilities in your security infrastructure, and help you determine the safeguards, policies, and procedures you’ll need to have in place. Assessments should be conducted periodically, especially after a new device is granted access, a device is lost or stolen, or a security breach is suspected.
- Develop, document, and implement mobile device usage policies and procedures. Policies that are designed for mobile devices will help you manage risks and vulnerabilities specific to these devices.
- Implement practices for controlling which apps are permitted for business use.
Maintaining mobile security isn’t just about having the right apps – it means following the right protocols, to eliminate unknown variables and maintain security redundancies:
- Review installed apps and remove any unused ones on a regular basis.
- Review app permissions when installing, and when updates are made.
- Enable Auto Update, so that identified security risks are eliminated as quickly as possible.
- Keep data backed up to the cloud or a secondary device (or both).
Incident Response & Resiliency
Your ability to protect your data comes down to how you answer these key questions:
- Do You Have A Data Inventory?
You have to start from a place of understanding. Begin by taking stock of your data – what it is, where it is stored, etc. With that information, you can then move forward in protecting it.
- Do You Have A Data Backup Policy In Place?
If not, then you’re vulnerable.If you have a data backup solution, then it doesn’t matter what happens to your data onsite – you can just replace it with your backup, simple as that.That’s why you should make a considerable investment in a comprehensive backup data recovery solution so that you can restore your data at a moment’s notice when necessary.Be sure to:
- Back up data on a regular basis (at least daily).
- Inspect your backups to verify that they maintain their integrity.
- Secure your backups and keep them independent from the networks and computers they are backing up.
If you think you may have been the victim of ransomware, phishing, or another type of cybercrime, your first step is to get in touch with your IT support immediately. Hardening your systems against attacks and thereby making yourself a harder target for cybercriminals is absolutely critical.
Beyond that, make sure to follow these three steps:
- Isolate The Damage: Your first move when an attack occurs is to isolate the computer from the network to prevent further access. Remove the network cable from the tower or laptop and turn off your networking functions (the Wi-Fi settings). Do this manually even if you have security software that claims to shut down the connection for you.
- Power Down: You also need to shut down your computer to prevent damage to your hard drive. Ideally, your anti-virus and anti-spyware will prevent the attacker from getting that far, but you still need to remove it from the computer to protect it fully.
- Control Access: Resetting your passwords is also critical. You should be sure to create entirely new passwords and avoid re-using them at any point. Don’t forget to check any accounts linked to your computer, including social media profiles, email accounts, online banking, and any other potential targets.
According to the Ponemon Institute, 80% of businesses agree that vendor security is important. However, only 60% take action in order to verify it. There are a number of key facts that expose the role that your vendors play in your security:
- Businesses share confidential information with an average of 583 third parties
- One-third of businesses have no vendor risk management policy in place whatsoever
- The businesses that do undertake third party risk assessments spend an average of 15,000 hours each year doing so
That’s why you need to implement a number of best practices to make sure you’re managing them securely:
- Policies and Procedures (if none, description of processes related to vendor management)
- List of third-party vendors with access to firm’s network and data
- Sample contract
- Written contingency plans in case of vendor bankruptcy or other issues
Training & Awareness
Cybersecurity gimmicks — such as “set it and forget it” firewalls and antivirus software — fail to account for how important the user is. Even the most effective digital security measures can be negated by simple human error, which is why conventional solutions are simply not enough to ensure your business’ safety. Much of cybersecurity is dependent on the user, and as such it’s vital that you properly educate your employees in safe conduct. The more your workforce knows about the security measures you have in place, the more confidently they can use the technology is a secure manner.
You should have a security awareness program in place to teach your staff:
- How to identify and address suspicious emails, phishing attempts, social engineering tactics, and more.
- How to use business technology without exposing data and other assets to external threats by accident.
- How to respond when you suspect that an attack is occurring or has occurred.
- Further vital information that your staff needs to maintain a secure business.
Even with all this vital information, ensuring your next SEC OCIE exam goes smoothly is more easily said than done. Allow Kraft Technology Group to help. We’ve got the financial industry knowledge and expertise to bring your documentation up to standard, making sure you have everything on OCIE’s request list during your next cybersecurity exam.
Like this article? Check out the following blogs to learn more:
The Need for Cybersecurity Expertise at the Board Level for Banking
The new Health Industry Cybersecurity Practices (HICP)
NIST’s Small Business Cybersecurity Corner