The U.S. Securities and Exchange Commission (SEC) is calling on industry firms to review their cyber defences and operational resilience.
The SEC’s Office of Compliance Inspections and Examinations (OCIE) published a report that details the results of thousands of its compliance exams of broker-dealers, investment advisory firms, exchanges, clearing agencies and others when it comes to cybersecurity.
The report highlights firms’ practices and controls in various areas, including governance and risk management, access controls, data loss prevention, mobile security, incident response, vendor management and training.
The regulator said that while there is no “one size fits all” approach to cybersecurity, firms should review the results of the report and consider their own controls.
“Through risk-targeted examinations in all five examination program areas, OCIE has observed a number of practices used to manage and combat cyber risk and to build operational resiliency,’ Peter Driscoll, director of the OCIE, said in a statement.
“We felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cybersecurity practices,” he added.
“Data systems are critical to the functioning of our markets and cybersecurity and resiliency are at the core of OCIE’s inspection efforts,” said SEC chairman Jay Clayton. “[I] encourage market participants to incorporate this information into their cybersecurity assessments.”