New SEC Guidance on Cybersecurity for Financial Industry: Tighten Up Governance and Risk Management

January 30, 2020  Jeff B. Copeland

The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE), released a guidance document, based on thousands of security audits of brokerages, exchanges and other SEC-registered firms, that urges the financial industry to adopt a list of best practices, starting with tighter governance and risk management.

The OCIE Cybersecurity and Resiliency Observations document says “effective cybersecurity programs start with the right tone at the top with senior leaders who are committed to improving their organization’s cyber posture through working with others to understand, prioritize, communicate and mitigate cybersecurity risks.”

Specifically, the OCIE recommends this checklist:

  • Senior level engagement, with board and C-level strategy for cybersecurity and resiliency
  • Risk assessment that includes “considering the organization’s business model.”
  • Policies and procedures that are written and comprehensive
  • Testing and monitoring to validate cybersecurity policies on a regular and frequent basis
  • Continuously evaluating and adapting to changes “to address any gaps or weaknesses and involving board and senior leadership appropriately.”
  • Communication in a timely way to decision makers, customers, employees, other market participants and regulators as appropriate.

This checklist closely follows the roadmap set by the SEC’s guidance of March, 2018 (see our blog post  SEC Tells Public Companies to Up Their Game in Assessing and Disclosing Cyber Risks) though that document had a different focus: cyber risk reporting in disclosures by public companies.  The SEC’s message then was that cyber risk must be reported in the same financial terms as is standard for other business risks – no more vague, qualitative statements that had been the norm in cybersecurity.

The 2018 guidance strongly pointed public companies to quantitative analysis of cyber risk to meet new stringent requirements – as does this latest messaging from the SEC aimed at brokers and other managers of money.

With a quantitative, financial basis for understanding cybersecurity, organizations can engage senior leadership in the non-technical terms they understand… perform risk assessments that align with the organization’s business model… set policies and procedures that include tangible goals, for instance based on risk appetite defined in financial terms… test and adapt with rapid triaging of risks, enabled by financial analysis…and  clearly communicate cyber risk in business terms – as this latest messaging from the SEC and the 2018 guidance recommend.

Some background: The OCIE has been particularly concerned about the rapid movement of the investments industry to the cloud – see their 2019 Risk Alert on network storage of customer records. For our outlook on the problem, see this blog post: Three Steps to Evaluate Security Risks of Cloud Migration.

The  RiskLens platform, operationalizing the international standard model for quantitative cyber risk analytics, the  FAIR model, is in use at many of the largest, global financial institutions for analysis and reporting to decision makers, stakeholders, investors and regulators.  Contact us to learn more.