SEC Releases Cybersecurity Observations and Guidance

The SEC's Office of Compliance Inspections and Examinations ("OCIE") released a report detailing its cybersecurity and resiliency observations, which may suggest benchmarks for future inspections and could inform possible enforcement determinations.

On January 27, 2020, OCIE issued a report detailing cybersecurity and resiliency observations the staff made after "thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges, and other SEC registrants." The report offers a snapshot of current market practices in seven key areas:

  1. Governance and Risk Management
  2. Access Rights and Controls
  3. Data Loss Prevention 
  4. Mobile Security
  5. Incident Response and Resiliency
  6. Vendor Management 
  7. Training and Awareness.

Going Beyond Written Policies to Continuously Implemented Practices

The report stressed the need for something more than the one-time establishment of policies and procedures and instead encouraged organizations to engage in continual testing and monitoring for compliance, as well as periodic risk assessments of threats and safeguards. Other observed policies and procedures outlined in the report include those pertaining to user access management, vulnerability and perimeter scanning, encryption and network segmentation, mobile device management applications, incident response planning and testing, vendor management programs, training and awareness, and others. 


Enforcement actions to date have generally focused on regulated entities that maintained what the agency viewed as inadequate cybersecurity policies and procedures under Regulations S-P and S-ID. And in its 2020 Examination Priorities and earlier statements, OCIE has consistently identified governance and risk assessment, access rights and control, data loss prevention, vendor management, training, and incident response as key areas of focus. In the recent report, OCIE added mobile security as an additional stand-alone area of focus. 

The report notes that "there is no such thing as a 'one-size fits all' approach." Because the report identifies what OCIE has favorably observed in recent examinations of cybersecurity programs, however, the observations may suggest benchmarks for future inspections and could inform possible enforcement determinations.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.