Yesterday the U.S. Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) released its 2021 exam priorities.
In the letter the SEC highlighted that their focus remains the same from prior years with a slight shift in priorities and adjustment of focus. The SEC stated that they will review whether firms have taken appropriate measures to:
- safeguard customer accounts and prevent account intrusions, including an investor’s identity to prevent unauthorized access;
- oversee vendors and service providers;
- address malicious email activities, such as phishing or account intrusions;
- respond to incidents, including those related to ransomware attacks; and
- manage operational risk as a result of dispersed employees in a work-from-home environment.
They also emphasized that EXAMS will also focus on controls surrounding online and mobile application access to investor account information, the controls surrounding the electronic storage of books and records and personally identifiable information maintained with third-party cloud service providers, and firms’ policies and procedures to protect investor records and information.
Firms must continue to govern, assess, test, and maintain their cybersecurity programs. This includes reviewing and updating policies to match internal processes and procedures. Maintain proper oversight of where sensitive data is and scrutinize the vendors that access, store, process, or transfer it. Malicious emails will continue to bombard users, so testing and training their knowledge to detect them is necessary, but more importantly, users should be trained how to react if they are a victim of a malicious email. Everyone in a firm can play a part in incident response. We encourage firms to perform tabletop exercises, especially if this has not been done before, to help prepare users for dealing with these situations. Continual assessments and testing of infrastructure, endpoints, and cloud solutions where sensitive data is stored will provide assurance that security controls are effective, and if not, uncover gaps that can be corrected to prevent breaches.
Due to the pandemic, many financial services firms have shifted to a remote working model and have adopted a more cloud-centric technology platform. Some may believe that by doing so some of the risk transfers to the cloud/service providers, however, this is far from the truth. The responsibility still lies with these firms and adjusting a cybersecurity program to address this model is necessary. This will certainly be a focus of the SEC given that many firms may continue to work this way after the pandemic has eased.
Given the unique nature in which financial services operate and the differences across them, developing a right-sized cybersecurity program is imperative.
At Elteni we help clients understand what constitutes a good cybersecurity program and are experts at developing a program that meets business objectives, regulatory and investor/client expectations. If you are questioning whether you need to develop a program or want an expert perspective on your current program or need to partner with someone to help you develop the program you have dreamed, feel free to reach out.
We welcome any and all questions. If you want an hour of our time that will not cost you a dime, feel free to reach out. We would love to hear from you.