The SEC’s Office of Compliance Inspections and Examinations and (OCIE) has issued “Cybersecurity and Resiliency Observations,” which summarizes and reflects on the risks of cybersecurity its examiners have observed in thousands of examinations of broker-dealers and investment advisers over the past eight years. Fittingly, OCIE observed that one size does not fit all when it comes to cybersecurity. The paper, however, provides detailed commentary on several segments of risks and the responses to those risks. One of those areas, governance and risk management, is an area of overall concern for most firms.
As with compliance in general, an effective cybersecurity program “starts with the right tone at the top,” according to OCIE. Other studies demonstrate that without leadership support and continuous engagement, information securities policies fail. In an effective program, the firm’s C-level executives and the board must coordinate activities of several key employees and potentially outside service providers. The initial priority should be to make an inventory of cyber risks and analyze and prioritize those risks. Essentially this must be a team exercise because expertise is required from multiple quarters and points of view. Larger firms may wish to coordinate cybersecurity policies at the enterprise level, but differences among different constituencies within the enterprise may strongly suggest that policies should be addressed at the level of the subsidiary level. Factors to consider are threats from malicious insiders, unintentional breaches through regular internal operations, risks relating to remote working and traveling, and geopolitical risks.