An interesting article by Jerome Roche, Caitlin Potratz Metcalf and Elias Gurewitsch from Linklaters setting out in detail the SEC's new guidance on cybersecurity and resilience. Irrespective of whether your firm is regulated by the SEC, cybersecurity is a boardroom issue and one that must be taken seriously. The guidance set out in this article is a good starting point for anyone.
Starting with a risk assessment, above and beyond anything else, cybersecurity is a risk issue that must be understood and quantified by senior management, so that they can determine what are the appropriate and effective controls to implement to reduce the risk. It is no different from any other enterprise risk factor.
The article also touches on some familiar key controls such as:
- Limiting access rights so only people who need to have access to data and systems have access to it, rather than everyone;
- Ensuring that the vendors that companies use also have appropriate cybersecurity controls in place;
- Ensuring you have a documented and tested incident response plan;
- Education, education, education: one of the key cybersecurity controls is to ensure that employees receive regular training on cybersecurity;
- Implementing an appropriate BYOD policy - and enforce it;
- Implementing procedures to prevent data loss and data breaches; and
- Ensuring that you regularly revisit cybersecurity precautions and that they are inline with industry practice.
At the moment, with everyone working from home given the current crisis, there are additional risks that must be considered and assessed. My colleague, Lorenzo Grillo has developed an excellent program to help companies perform a cybercecurity rapid assessment for remote working. Please let us know if you'd like to know more!
While the SEC acknowledged that there is no “one-size fits all” approach, a recent discussion by its Office of Compliance Inspections and Examinations is a useful guide as to the industry practices and measures that OCIE may consider when assessing an organization’s cybersecurity preparedness and potential deficiencies. As in recent years, cybersecurity will continue to be a key element of OCIE’s examination program in 2020 and will likely remain an examination priority for years to come. The Office of Compliance Inspections and Examinations of the U.S. Securities and Exchange Commission (recently published its Cybersecurity and Resiliency Observations to guide market participants in enhancing their cybersecurity preparedness and operational resiliency.