Facing increasing risks across numerous industries, a federal regulator for the first time has issued a list of best practices for cybersecurity as well as for resiliency after a breach.

The 13-page report includes tips aimed at general counsel and chief compliance officers on mobile device security, vendor management and more.

The Office of Compliance Inspections and Examinations, part of the U.S. Securities and Exchange Commission, on Monday issued the list, gleaned from its exams. The office regularly issues such observations, but usually they pertain to securities, investment advisers, money laundering and other financial issues.

"It's the first time these types of important cybersecurity resiliency observations have come from OCIE," said Alexander Southwell, co-chair of the privacy, cybersecurity and consumer protection group in the New York office of Gibson, Dunn & Crutcher.

"They have provided other guidance over the years about social media use, ransomware, privacy notices and more specific issues," Southwell added. "The SEC has recognized that it needs to be much more vigilant about cybersecurity risks and also that its entities could use more guidance, which is what leads to the sharing of observations like these."

The OCIE said, "In an environment in which cyber threat actors are becoming more aggressive and sophisticated—and in some cases are backed by substantial resources including from nation state actors—firms participating in the securities markets, market infrastructure providers and vendors should all appropriately monitor, assess and manage their cybersecurity risk profiles, including their operational resiliency."

OCIE director Peter Driscoll explained in a statement, "Through risk-targeted examinations … OCIE has observed a number of practices used to manage and combat cyber risk and to build operational resiliency. We felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cybersecurity practices."

The observations highlight basic approaches taken by organizations in the areas of governance and risk management, access rights and controls for the system, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness.

In the statement, SEC chairman Jay Clayton said, "Data systems are critical to the functioning of our markets, and cybersecurity and resiliency are at the core of OCIE's inspection efforts."

The OCIE report made business continuity and resiliency a key component of any incident response plan, that is, "if an incident were to occur, how quickly can the organization recover and again safely serve clients?"

The report discussed key elements of resiliency, including maintaining inventory of core business operations and systems, assessing risks and prioritizing business operations, and considering other safeguards such as backing up data elsewhere or buying cybersecurity insurance.

Gibson Dunn's Southwell said the report is significant because these are the matters regulators will be watching.

"We will continue to see greater emphasis on cybersecurity issues in SEC exams," he predicted, "and that will likely lead to an increase in enforcement investigations and actions, as well." The OCIE declined comment beyond its press release statement.

Southwell noted that OCIE included cybersecurity in its Jan. 7 list of exam priorities for 2020, along with "the related, quite interesting, area of alternative data." Alternative data includes information collected from various non-traditional sources, such as web scraping, data vendors, news stories and even hacking.

The OCIE statement of priorities said the office "recognizes that advancements in financial technologies, methods of capital formation and market structures, as well as registered firms' use of new sources of data (often referred to as "alternative data"), warrant ongoing attention and review."