On January 27, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a statement designed “to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency.” Companies regulated by the SEC, or organizations that work with companies the SEC regulates, should review OCIE’s observations of best practices and consider whether they are meeting OCIE’s expectations.
OCIE’s observations fall into several categories.
Governance and Risk Management. As OCIE notes, “[e]ffective cybersecurity programs start with the right tone at the top . . . .” OCIE also notes that effective programs include, among other things, (i) a risk assessment of cybersecurity threats; (ii) written cybersecurity policies and procedures to address said risks; and (iii) implementation and enforcement of those policies, including testing and monitoring and continuous evaluation of those policies.