On January 27, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued examination observations. The document outlines a series of approaches taken by market participants in areas including governance and risk management, access rights and controls, data loss prevention, resiliency, vendor management, and training and awareness.
Notably, these practices and controls are based on current observations of market players and include both technology and governance measures, which the SEC believes yielded better security and resilience results.
The document also provides an indication of the attention the SEC is placing on cyber risk, consistently defining it as a systemic risk.
“Data systems are critical to the functioning of our markets and cybersecurity...”— Jay Clayton, SEC Chairman
The SEC note rightly indicates that successful cyber programs begin with governance: “Effective cybersecurity programs start with the right tone at the top, with senior leaders who are committed to improving their organization’s cyber posture through working with others to understand, prioritize, communicate, and mitigate cybersecurity risks.” We also concur with the SEC’s description of governance starting with assessment of risk, written policies and procedures, and effective implementation of policies and procedures, including training and awareness-raising. This makes the growing cyber skills gap all the more pressing to close.
The SEC’s OCIE team views a successful program, including the effective deployment of the appropriate technology, all stemming from good governance.
The decisive factor between well-performing companies and poor-performing companies on cyber is not the technology deployed, but the management of that technology. While the SEC correctly puts people, process, and policy at the core of an effective program, the financial losses and breaches globally continue to mount, outpacing the record YoY increased investment in security by the same boards and management teams increasingly grappling with better managing the risk. Though some underperforming companies, those we rate as 1-2 stars, often suffer from an underinvestment in security, more money is not necessarily the solution for every company. However, every for the board and management team should start with a focus on people, process, and implementation (including training).