Information security is critical to the operation of the financial markets and the confidence of its participants. . . The Division is acutely focused on working with firms to identify and address information security risks, including cyber-attack related risk . . .” SEC Division of Examinations, 2021 Examination Priorities, at 24.

On March 3, 2021, the Securities and Exchange Commission’s newly renamed Division of Examinations (EXAMS) (formerly the Office of Compliance Inspections and Examinations (OCIE)) announced its 2021 examination priorities.  Information security and operational resiliency ranked number two out of the top five priorities sending a clear message that the SEC is focused on emergent security threats, particularly cyber-attacks, resulting from the sudden and unprecedented increase in remote operations.

In response to these threats, EXAMS has announced that it will focus its reviews on whether firms have taken appropriate security measures to:  (1) safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access;  (2) oversee vendors and service providers; (3) address malicious email activities, such as phishing or account intrusions; (4) respond to incidents, including those related to ransomware attacks; and (5) manage operational risk as a result of dispersed employees in a work-from-home environment.  In addition, access control issues when utilizing online and mobile apps are also on the EXAMS review radar for 2021, as well as the security of personally identifiable information maintained with third-party cloud service providers. Furthermore, expect an EXAMS review to include an evaluation of the firm’s policies and procedures related to the protection of investor records and information. EXAMS has indicated that defensible policies and procedures are a key component to information security and will probably be in scope for routine reviews.

Firms can prepare for an EXAMs review by reevaluating their existing Information Security Policy, Incident Response Plan, Vendor Management Policy and employee training.  An internal assessment of of these policies and procedures for gaps in defensibility can be accomplished in five (5) steps.  First, examine the organization’s Information Security Policy to ensure there are standards for strong authentication procedures to prevent account intrusions and unauthorized access as well to manage remote employee access effectively and securely.  Second, assess whether the Incident Response Plan contains up to date, tested procedures to identify, contain, manage and remediate malicious phishing attempts, account intrusions and ransomware attacks.  Third, review the current Vendor Management Policy to verify that the guidance for identifying risky vendors is practical and comprehensive.  Fourth, ensure that the Vendor Management Policy documents the controls implemented to minimize vendor risk, particularly with regard to personally identifiable information.

Last, the importance of continuously training employees on cybersecurity cannot be overvalued.  Training is critical to reducing the harmful effects of cyberattacks and data breaches caused by human error.  Human beings are still the weakest link in every organization’s security plan.  By making employees aware of the scope of the threats, and what’s at stake if security fails, every firm can reduce its cyber risk exposure.  The dramatic surge in employees working from home has exponentially increased security incidents.  In a recent study by Barracuda Networks, 46 percent of respondents experienced at least one security incident since lockdown restrictions were implemented in 2020 and 51 percent saw an increase in email phishing attacks.

In summary, the EXAMs 2021 Examination Priorities related to information security provide good insight as to what firms can expect during a review.  By following the five (5) steps outlined above, firms can address cybersecurity issues proactively prior to a review.