SEC Publishes Observations on Cybersecurity and Resiliency Practices
The SEC Office of Compliance Inspections and Examinations (OCIE) issued examination observations related to cyber-security and operational resiliency practices of market participants. The observations highlight approaches of market participants in the areas of governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resilience, vendor management, and training and awareness. The observations cover specific examples of cyber-security and operational resiliency practices and controls that organizations have taken to potentially safeguard against threats and respond in the event of an incident.
While the effectiveness of any given cyber-security program is fact-specific, it has been observed that a key element of effective program is the incorporation of a governance and risk management program that generally includes, among other things:
- Developing and conducting a risk assessment process to identify, manage, and mitigate cyber risks relevant to the organization’s business. This includes considering the organization’s business model, as part of defining a risk assessment methodology, and working to identify and prioritize potential vulnerabilities.
- Adopting and implementing comprehensive written policies and procedures addressing the identified risks.
- Establishing comprehensive testing and monitoring to validate the effectiveness of cyber-security policies and procedures on a regular and frequent basis. Testing and monitoring can be informed based on cyber threat intelligence.
- Responding promptly to testing and monitoring results by updating policies and procedures to address any gaps or weaknesses and involving board and senior leadership appropriately.
OCIE conducts examinations of SEC-registered investment advisers, investment companies, broker-dealers, self-regulatory organizations, clearing agencies, transfer agents, and others. It uses a risk-based approach to examinations to fulfill its mission to promote compliance with U.S. securities laws, prevent fraud, monitor risk, and inform SEC policy.
Related Links
Keywords: Americas, US, Securities, Operational Resilience, Governance, Data, Cyber Risk, SEC
Featured Experts
María Cañamero
Skilled market researcher; growth strategist; successful go-to-market campaign developer
Pierre-Etienne Chabanel
Brings expertise in technology and software solutions around banking regulation, whether deployed on-premises or in the cloud.
Nicolas Degruson
Works with financial institutions, regulatory experts, business analysts, product managers, and software engineers to drive regulatory solutions across the globe.
Previous Article
FIN-FSA Amends Regulations and Guidelines on Credit Risk ManagementRelated Articles
BIS Innovation Hub Sets Out Work Program for 2021
BIS Innovation Hub published the work program for 2021, with focus on suptech and regtech, next-generation financial market infrastructure, central bank digital currencies, open finance, green finance, and cyber security.
EC Plans to Consult on Crisis Management and EDIS Framework Revisions
In an article published by SRB, Mairead McGuinness, the European Commissioner for Financial Services, Financial Stability, and Capital Markets Union, discussed the progress and next steps toward completion of the Banking Union.
EBA Finalizes Remuneration Standards for Investment Firms in EU
EBA finalized the two sets of draft regulatory technical standards on the identification of material risk-takers and on the classes of instruments used for remuneration under the Investment Firms Directive (IFD).
ECA Recommends Actions to Enhance Resolution Planning for Banks
EC published, in the Official Journal of the European Union, a notification that the European Court of Auditors (ECA) has published a special report on resolution planning in the Single Resolution Mechanism.
BoE Publishes Key Elements of the 2021 Stress Testing for Banks in UK
BoE published a scenario against which it will be stress testing banks in 2021, in addition to setting out the key elements of the 2021 stress test, guidance on the 2021 stress test, and the variable paths for the 2021 stress test.
PRA Proposes Rules on Identity Verification of Depositor Protection
PRA published a consultation paper (CP3/21) proposes rules regarding the timing of identity verification required for eligibility of depositor protection under the Financial Services Compensation Scheme (FSCS).
FSB Publishes Work Program for 2021
FSB published the work program for 2021, which reflects a strategic shift in priorities in the COVID-19 environment.
FCA Issues Update on Move to New Data Collection Platform
FCA announced that 50% firms have started using the new data collection platform RegData, which is slated to replace the existing platform known Gabriel.
Bundesbank Publishes Derivation Rules for Reporting by Banks
Bundesbank published Version 5.0 of the derivation rules for completeness check at the form level, with respect to the data quality of the European harmonized reporting system.
FED Revises Capital Planning and Stress Testing Requirements for Banks
FED finalized a rule that updates capital planning requirements to reflect the new framework from 2019 that sorts large banks into categories, with requirements that are tailored to the risks of each category.
