SEC Office of Compliance Inspections and Examinations Publishes Paper

The Securities and Exchange Commission Commission’s Office of Compliance Inspections and Examinations (OCIE) earlier this week issued examination observations related to cybersecurity and operational resiliency practices taken by market participants.

The observations highlight certain approaches taken by market participants in the areas of governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. The observations highlight specific examples of cybersecurity and operational resiliency practices and controls that organizations have taken to potentially safeguard against threats and respond in the event of an incident.

“Data systems are critical to the functioning of our markets and cybersecurity and resiliency are at the core of OCIE’s inspection efforts,” said SEC Chairman Jay Clayton.  “I commend OCIE for compiling and sharing these observations with the industry and the public and encourage market participants to incorporate this information into their cybersecurity assessments.”

“Through risk-targeted examinations in all five examination program areas, OCIE has observed a number of practices used to manage and combat cyber risk and to build operational resiliency,’ said Peter Driscoll, Director of OCIE.  “We felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cybersecurity practices.”

OCIE conducts examinations of SEC-registered investment advisers, investment companies, broker-dealers, self-regulatory organizations, clearing agencies, transfer agents, and others. It uses a risk-based approach to examinations to fulfill its mission to promote compliance with U.S. securities laws, prevent fraud, monitor risk, and inform SEC policy. To see other OCIE publications, please visit www.sec.gov/ocie.