The threats to data have become so pervasive the U.S. Securities and Exchange Commission (SEC) has stepped in to address cybersecurity preparedness. In 2014, the SEC’s Office of Compliance Inspections and Examinations (OCIE) put forth its 2014 Examination Priorities and a Cybersecurity Roundtable was sponsored by the Commission in March. Commission Chair Mary Jo White emphasized the need to bridge the government and private sector and take steps to address the threats.
As a result, the SEC can now request information from registered organizations. Below is an outline what can be requested during an examination. Some questions and provisions are based on the NIST’s “Framework for Improving Critical Infrastructure Cybersecurity”.
Risk Assessment
The SEC requires firms to provide disclosure of their policies and procedures. This includes a look at governance practices, such as inventory of devices and systems/software. Maps of network resources, connections, and how resources are prioritized are also required. The Commission also asks for:
- A written information security policy.
- An assessment of cybersecurity threats using specific guidelines.
- A list of who conducts assessments and what has been found.
- Roles and responsibilities within the company.
- A copy of the business continuity plan.
- Who is responsible for overseeing cybersecurity within the company.
- If and what kind of insurance covers expenses related to cybersecurity incidents.
Network/Information Protection
- The SEC requires companies to identify whether any specific published standards are followed. Businesses often model their information security systems on NIST or ISO standards.
- In addition, the Commission outlines a set of practices and controls and requests entities to indicate the ones used.
Are you worried about meeting the SEC OCIE Cybersecurity guidelines?
If you’re responsible for meeting the SEC guidelines, then Brainlink would like to offer you our SEC OCIE Compliance Assessment Toolkit.
This toolkit will enable us to rapidly, and thoroughly, assess your key exposures, and build a remediation and compliance plan.
Schedule a meeting with Raj Goel, CISSP Today!
Email raj@brainlink.com or visit: https://www.brainlink.com/sec-audit/