The SEC’s recent publication of examination observations related to cybersecurity practices provides a helpful benchmark for firms trying to understand common market practices.


The Davis Polk Cyber Blog welcomes a new author, partner Robert Cohen.  Rob has 15 years of experience in the SEC’s Division of Enforcement across a wide range of matters.  Most recently, Rob was the first-ever Chief of the Cyber Unit at the SEC, supervising investigations concerning cybersecurity events, controls, and disclosures at regulated entities and public companies, cyber-related trading cases such as hacking for nonpublic information, and initial coin offerings and other conduct involving digital assets.  Previously, he served as Co-Chief of the Market Abuse Unit, where he supervised complex insider trading, manipulation, and market structure investigations.  Here, Rob joins two colleagues in providing thoughts about a helpful document the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued this week on cybersecurity.

The OCIE document, which is based on thousands of examinations, is an easy-to-read outline of OCIE’s cybersecurity focus during exams.  SEC-regulated entities can expect examiners to ask questions about these topics, and the OCIE document suggests what OCIE expects from companies.

OCIE discussed a number of important observations, but four key takeaways are:

  • Focus on Senior Leadership.  OCIE’s first substantive observation is the importance of senior-level engagement in overseeing cybersecurity.  OCIE also points to the importance of escalating insider threats to senior leadership, as appropriate, and involving board and senior leadership when updating risk management policies and procedures.  You can expect examiners to probe the degree of oversight from senior leadership in future exams.
  • Vendor Management – A Message to Companies and Vendors.  OCIE highlights the importance of establishing a vendor management program to ensure that vendors meet a company’s security requirements.  OCIE discusses contract terms that outline each party’s rights, responsibilities, and expectations regarding cybersecurity.  Vendor outsourcing is also an important topic for discussion with vendors, such as vendor use of cloud-based services.  OCIE’s message appears to be that it expects companies to actively engage with their vendors on cybersecurity, and that examiners might explore vendor oversight during exams.  This message is for regulated entities and financial services vendors alike.
  • Monitoring Access.  OCIE emphasizes that companies need to know exactly who has access to their systems and data, and at what levels of sensitivity.  OCIE suggests that companies should limit access to sensitive systems and data based on each user’s need.  The guidance also suggests that companies should periodically review account access to determine whether continued access is needed.  The apparent message is that OCIE expects companies to have more than good policies and procedures on paper; OCIE is looking at whether companies actively monitor access to systems and make adjustments based on changes in needs and business developments.
  • Multi-factor Authentication.  OCIE points to the importance of some specific controls, such as multi-factor authentication (MFA), indicating that OCIE may question companies that are not at least moving towards using such controls (although OCIE acknowledges that there is no “one-size fits all” approach towards cybersecurity preparedness and resiliency).

Overall, the guidance is a helpful listing of OCIE’s observations and an indication of what OCIE may ask during exams.  For further discussion of the guidance, see Davis Polk’s recent Client Memorandum.

The Client Memorandum has also been posted at the Compliance & Enforcement blog sponsored by NYU Law’s Program on Corporate Compliance and Enforcement.