On Jan. 27, the Securities and Exchange Commission (SEC), Office of Compliance Inspections and Examinations (OCIE) issued a report titled "Cybersecurity and Resiliency Observations." The report provides observations about practices that financial institutions such as broker-dealers, investment advisers, clearing houses and other SEC-registered entities are utilizing to protect against cybersecurity threats. These insights are the byproduct of thousands of examinations performed by the OCIE. The report groups the practices observed into seven categories: governance and risk-management programs; access rights and controls; data loss prevention; mobile security; incident response and resiliency; vendor management; and training and awareness. As to the report's purpose, OCIE states that its observations about these practice areas are being offered "to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency." In other words, all registered entities and public companies should consider the best practices observed by OCIE for their cybersecurity programs.

While having no legal force and effect, all public companies, even non-SEC registrants, would be wise to consider making the observed practices part of their own cybersecurity risk management strategy as the report may be relied upon in enforcement proceedings or by plaintiff's counsel in private securities litigation. The report should not be viewed in a vacuum either. It is recent commentary but not the only guidance issued from the SEC regarding cybersecurity related industry practices. Another well-known body of guidance issued by the SEC concerns disclosures required in registration statements related to both "cybersecurity risks and cyber incidents." This disclosure guidance was originally issued by the SEC, Division of Corporation Finance on Oct. 13, 2011, after it determined "that it would be beneficial to provide guidance that assists registrants in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant's specific facts and circumstances." On Feb. 21, 2018, the SEC issued interpretive guidance to update and reinforce the guidance issued in 2011. Notably, the 2018 guidance, among other things, stressed the importance of maintaining "comprehensive policies and procedures related to cybersecurity risks and incidents."

The OCIE report adds significantly to this point by illuminating the policies and procedures that organizations are implementing to prevent cybersecurity threats and address incidents if or when they occur. Thus, SEC is not solely focused on the adequacy of disclosures with respect to incidents that have occurred but also offering information on policies and procedures that organizations are implementing to prevent cyber-attacks in the first instance. A summary of the observations made by the OCIE by practice area are set forth below. These consist of a number of best practices that OCIE has found during its examinations.

OCIE Report Observations

• Governance and risk management programs

As a threshold matter, OCIE noted that it has observed that "tone at the top" matters when it comes to an effective cybersecurity program. Senior leaders need to be committed to the program and possess the ability to effectively prioritize and communicate about the company's cybersecurity risks and strategies. Effective governance and risk management programs include risk assessments, written cybersecurity policies and procedures, and effective implementation and enforcement of the policies and procedures. OCIE recognized that risk assessment methodologies work most effectively when they consider the organization's specific business model and prioritize vulnerabilities (e.g., remote or traveling employees, insider threats, international operations and geopolitical risks). Companies are also testing and monitoring policies and procedures, addressing weaknesses and gaps, and establishing strong communication policies to timely disseminate important information to decision makers in the event of a cybersecurity incident.

• Access rights and controls

OCIE has observed that companies are using certain access rights and controls strategies to aid in cybersecurity efforts. Generally, these access controls include understanding the location of data, restricting access to users, and establishing controls to monitor and prevent unauthorized access. Regarding access management, OCIE has observed company procedures that: limit access to certain users; implement separation of duties for user access approvals; re-certify users' access rights on a periodic basis; require strong passwords and periodic changes; use multi-factor authentication (MFA); and immediately implement access restrictions for individuals no longer with the company. With respect to access monitoring, OCIE has found procedures that: lock accounts after too many failed login attempts; focus on proper handling of requests for password changes; consistently review hardware and software changes, and ensure changes are approved and anomalies are investigated.

• Data loss prevention

OCIE also has observed a number of data loss prevention strategies that organizations are implementing to safeguard data. OCIE noted that vulnerability management programs have been established to conduct routine scans of software and applications both within the organization and at third party vendors. Perimeter security is being implemented through monitoring and inspecting incoming and outgoing network traffic, firewalls and programs capable of blocking access to personal email, social media sites,and USB and CDs. Security programs are being used that can detect threats such as fraudulent communications to avoid unauthorized running of software or malware on company systems. OCIE has found organizations are also establishing patch management programs that cover all software and hardware as well as anti-virus and anti-malware installation, maintaining an on hand inventory of hardware and software assets, and using encryption and network segmentation. Data is being encrypted that is "in motion" internally and externally and "at rest" (i.e., on desktops and tablets). Insider threat programs are being utilized to identify suspicious activity. Organizations are increasing the breadth and occurrence of testing and creating rules to identify and block the transmission of sensitive data from leaving the company. Organizations are also becoming more thoughtful about old hardware and software systems by removing sensitive information before these items are disposed of and replacing older systems that may be more vulnerable with more modern technologies.

• Mobile security

Mobile devices present cybersecurity challenges and OCIE has observed organizations taking several positive mobile security measures. Organizations are establishing policies and procedures, including a "bring your own device policy," utilizing a mobile device management (MDM) application for business devices and ensuring the MDM works for bring your own devices. Organizations are requiring MFA use for all internal and external users, taking steps to prevent employees from saving information on personal devices, and ensuring that they have the ability to clear content from lost or stolen devices.

• Incident response and resiliency

Incident response and resiliency concerns how quickly and effectively a company can disclose incidents and take corrective actions. OCIE found that organizations are building risk-assessed incident response plans that consider various cybersecurity risk scenarios and implement procedures that include timely notification and responses to incidents, processes for escalating incidents to appropriate management-level officials, including legal and compliance personnel, and methods for informing key stakeholders. Organizations also are giving employees specific roles and responsibilities in the event of a cybersecurity attack. The incident response plans and employee roles are being physically tested through different methods including table top exercises. Organizations are also determining state and federal reporting requirements and ensuring compliance with these for cybersecurity incidents should they occur. In the event of an incident, OCIE instructs that organizations should consider contacting the FBI if an attack or compromise is discovered or suspected, informing regulators of potential intrusions, and notifying customers if the data is compromised.

Likewise, organizations are building resiliency to cyber-attacks by maintaining an inventory of core business operations and systems to understand the impact of any attack. Similarly, businesses are developing strategies based on each company's specific risk tolerance by considering which systems can be substituted in and out during a disruption to allow the business to function, ensuring that back-up data is appropriately geographically located, and determining the impact of business disruptions on stakeholders. Organizations are also considering additional safeguards for data such as hosting back-up data on different networks and obtaining cybersecurity insurance.

• Vendor management

Third parties also present cyber risks for organizations. OCIE defines vendor management to include policies and procedures related to vendor due diligence, monitoring, and contract terms, as well as how vendor relationships are considered as part of the organization's ongoing risk assessment and to determine appropriate levels of due diligence and how vendors protect accessible client information. OCIE has observed organizations establishing vendor management programs that require vendors to meet certain security requirements, using questionnaires based on industry standards (e.g., SOC2, SSAE18), utilizing independent audits to ensure quality, and creating procedures for terminating and/or replacing vendors.  Organizations are striving to have a better understanding of party responsibilities under vendor contracts and the risks in outsourcing and cloud-based services. Organizations are also engaged in vendor monitoring to ensure certain security requirements are met.

• Training and awareness

Another OCIE observation is with regard to companies using certain training techniques to educate employees about cyber risks and responsibilities. Organizations are training staff on cybersecurity policies and procedures, creating specific exercises to help employees identity phishing emails, and training employees on how to respond to indicators of breaches (e.g., obtaining customer confirmation if behavior appears suspicious). These trainings need to be effective and companies are monitoring attendance and updating the programs based on new cyber-threat intelligence.

Implications and Recent Enforcement Activity

The report may give the public a better lens into SEC expectations as its enforcement activities surrounding cybersecurity incidents ratchet up. In September 2017, the SEC established the Division of Enforcement's Cyber Unit to focus on, among other things, cybersecurity controls at regulated entities and issuer disclosures of cybersecurity incidents and risks. Since that time, the SEC has engaged in a number of enforcement actions concerning cybersecurity. These enforcement actions have impacted large well-known companies including Yahoo, Voya Financial Advisors and Facebook.

In April 2018, Altaba, formerly known as Yahoo! entered into a $35 million settlement with the SEC for allegedly misleading investors by failing to disclose one of the world's largest data breaches in a timely manner. The data breach occurred in December 2014 and involved Russian hackers who stole personal data concerning more than 500 million Yahoo! users. According to the SEC, Yahoo learned of the intrusion within days of the attack and the incident was reported to senior management and its legal department but Yahoo failed to adequately investigate the attack or consider whether it needed to be disclosed to investors. The data breach was not disclosed to investors until September 2016 when Verizon Communications was acquiring Yahoo's operating business.

In September 2018, the SEC settled charges against Voya Financial Advisors (VFA) alleging violations of the Safeguards Rule and Identity Theft Red Flags Rule. VFA agreed to be censured, pay a $1 million penalty, and retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule. This enforcement proceeding was the first instance of charges concerning the Identity Theft Red Flags Rule. The SEC action came in response to a cybersecurity incident whereby cyber intruders impersonated customers over a six-day period to gain access to the personal information of 5,600 VFA customers. The SEC order states that VFA's failure to stop the intruders stemmed from weaknesses in its cybersecurity procedures. The chief of the SEC Enforcement Division's Cyber Unit, Robert A. Cohen, stated regarding this enforcement action that, "This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models."

In July 2019, the SEC settled with Facebook for $100 million to resolve charges of inadequate and misleading disclosures concerning the risks of user data misuse. The SEC complaint alleged that in 2014 and 2015 Facebook had permitted an advertising and data analytics company to create personality scores for approximately 30 million Americans. In the process, the company collected and transferred data including personal information that it used in connection with political advertising. The SEC complaint alleged that Facebook knew about the misuse of information in 2015 but did not disclose it for over two years instead telling investors that "our users' data may be improperly accessed, used or disclosed." The SEC also noted in its complaint that during the two-year period of non-disclosure, Facebook did not have specific policies or procedures to assess the results of its investigation.

Although the OCIE report is directed to SEC registered entities, by implementing the strategies outlined in the OCIE report, all organizations may be able to prevent similar enforcement actions that have cost these companies millions of dollars. In each case, the SEC took issue with the weaknesses of policies and procedures in place at each organization to assess risks and investigate incidents. These cases also illuminate the need for strong policies and procedures in many of the practice areas referenced in the report and discussed above. Organizations should reflect on the report and use it as a tool to guide cybersecurity policies to ensure that proper measures are being taken to eliminate and respond to cybersecurity threats.

Robert L. Hickok is a partner and former co-chair of the litigation and dispute resolution department of Pepper Hamilton. He is a past member of the firm's executive committee. He can be reached at 215-981-4583 or [email protected].

Jay A. Dubow is a partner with the firm, resident in the Philadelphia office. He is a member of the firm's white-collar litigation and investigations practice group and is co-chair of the securities and financial services enforcement group. He can be reached at 215-981-4713 or [email protected].

Robyn R. English-Mezzino is an associate in the firm's trial and dispute resolution practice group, a seasoned and trial-ready team of advocates who help clients analyze and solve their most emergent and complex problems through negotiation, arbitration and litigation. She can be reached at 609-951-4193 or [email protected].