The Securities and Exchange Commission released fresh advice on Monday about cybersecurity risk, on everything from oversight of cybersecurity risk to nitty-gritty practices around access controls, vendor management, operational resiliency, and more. Compliance, security, and risk professionals will want to give this a read.
The advice comes in the form of a 13-page bulletin published by the SEC Office of Compliance Inspections and Examinations (OCIE), which reviews financial firms regularly for the effectiveness of their compliance programs — including cybersecurity. And while the advice comes from inspections of financial firms, plenty of the material is useful for businesses of any sector.
Governance and risk management. The guide begins with the obligatory look at top-level oversight of cybersecurity risk. Some of its points here are obvious: firms should have senior executive support for strong cybersecurity, where the C-suite and even the board help to steer the firm’s cybersecurity and resilience strategy. Likewise, firms should also have comprehensive written policies, as well as regular testing and monitoring of cybersecurity systems.
That’s sensible stuff, but we’ve all heard it before. OCIE raised two other points that are worth considering at length.
First, the company’s risk assessment should “include considering the organization’s business model, as part of defining a risk assessment methodology.” What does that mean, exactly? It means considering risks inherent in how the company operates, irrespective of the technology you use to do it.
For example, do you want lots of employees to work remotely, so they can meet clients more often? Do you want to expand into high-risk geographic markets such as China, where industrial espionage and data theft are rampant? Do you want to use independent contractors who have their own tech devices, or full-time employees who use yours?
In other words, a good cybersecurity risk assessment will involve a lot of studying strategic choices the company makes for its business operations, and then reverse-engineering potential security risks and mitigating controls from there.
Second, wise firms continuously evaluate and adapt to changes. Part of that is responding to security deficiencies you find from testing and monitoring, yes — but another part is responding to changes in how the company operates. For example, if the management team does decide to move from full-time sales teams to independent contractors, the risk officer needs adjust policies, procedures, and controls accordingly.
Altogether, good governance of cybersecurity risk implies a lot more collaboration between risk management teams and operating units in the First Line of Defense.
Access Control Ideas
The bulletin has another section on access controls. The most important point here is specifically about access management. That can encompass everything from strong segregation-of-duties for user access approvals; a password policy that favors strong, frequently changed passwords (ugh); use of multi-factor authentication via key-fob or temporary code sent to the user’s phone; and tight oversight of employee termination processes, to cut off access to people who no longer need it.
I would only stress that companies should think hard about password policies, since policies that are too difficult often create more risk than they mitigate. Complicated password requirements lead people to reuse the same basic password over multiple apps, or just write down the passwords on a Post-It note stuck to the computer terminal. A wiser approach might be to use one single sign-on (SSO) for all access, but govern that with multi-factor authentication.
Also, let’s remember that moving up the chain of command at your organization shouldn’t automatically mean more access privileges. Companies always want to use the Principle of Least Privilege, where people only have the minimum access they need to do their jobs — and when you move into senior roles, you might not need access to systems or data you previously did. For example, at large organizations, there’s no need reason for the CFO to be able to enter new vendors. He or she only needs to do strategic financial planning.
Cybersecurity & Resiliency
We’ve written about the importance of operational resiliency on this blog previously, and the subject makes an appearance in this OCIE guidance as well. Again, resiliency is your organization’s ability to withstand and recover from disruption — so the more you rely on technology to manage mission-critical systems, the more important building a resilient organization is.
OCIE had two recommendations on this subject. First, maintain an inventory of core business operations and systems, including systems over which your company might not have direct control — such as when you outsource data storage, payroll processing, email systems, or even billing.
Then develop a plan for business continuity should any of those systems suddenly fail. Could you substitute another application for one that’s crashed? Do you have geographically separate back-up repositories of data and systems? Do you know your disclosure obligations — either by regulatory rule or contract with customers — if you experience a failure?
OCIE’s bulletin then neatly flows into another section about vendor risk management, which is excellent because resiliency and vendor risk are now intertwined to the extreme. You can’t achieve resiliency without a strong grasp of vendor risks.
That’s going to mean practical steps such as policies and procedures to define vendor relationships. Contracts need to be clear about rights, responsibilities, expectations, and other terms that explain how security risk is addressed. Your company needs procedures to get that clarity included in the agreement; only then can you understand what your remaining security risk is, and implement mitigating controls as needed.
The challenge: it’s now really easy for employees to disregard those policies and procedures and find some Mickey-the-Dunce tech vendor that delivers its services via the cloud. You, the risk management function, might have no visibility into those agreements or even into whether employees are doing this at all. So there’s need for strong policies and training about employees hiring tech vendors, too.
Anyway, the OCIE guidance is a great cheat-sheet of wise security practices every business should undertake. Lord knows the risk isn’t going away any time soon.