2021 SEC Division of Examinations Security Priorities Report

by Andrew Werking 0 Comments

This week the SEC and Division of Examinations (EXAMS) released its 2021 Examination Security Priorities. The report noted information security and operation resiliency during the pandemic. Even with the shift to work-from-home environments, financial services maintained continuity, resiliency, and dependability.  

The report looks ahead and discusses how companies will continue to adapt to protect data: 

  1. safeguard customer accounts and prevent account intrusions, including an investor’s identity to prevent unauthorized access; 
  2. oversee vendors and service providers; 
  3. address malicious email activities, such as phishing or account intrusions; 
  4. respond to incidents, including those related to ransomware attacks; and 
  5. manage operational risk as a result of dispersed employees in a work-from-home environment. 

EXAMS will directly concentrate on controls surrounding online and mobile application access to investor account information, the controls surrounding the electronic storage of books and records and personally identifiable information maintained with third-party cloud service providers, and firms’ policies and procedures to protect investor records and information.   

Business Continuity and Disaster Recovery Plans 

Given the significant disruptions in 2020, EXAMS will continue to review registrants’ business continuity and disaster recovery plans (DRPs). The Division will pay particular attention to whether plans account for the growing physical and other relevant changes related to climate change, including whether DRPs have effective practices to improve responses to large-scale events. 

Increased Concerns About Vendor Risk Management  

Regarding vendor risk management, the Division stated it will review whether firms have taken appropriate measures to safeguard customer accounts and prevent account intrusions, including identity verification to prevent unauthorized account access including 

  • Endpoint security 
  • Data loss 
  • Remote access 
  • Use of third-party communication systems 

As firms increasingly use alternative and non-traditional data (e.g., advisors to private funds and registered investment companies) to make decisions, EXAMS will review whether controls and compliance measures are in play around the creation, receipt, and use of such information.  

Security and Safeguard Measures Around Work-From-Home Environments 

When looking at remote work environments, EXAMS will be monitoring vendor and service provider assessments including 

  • Safeguarding customer accounts and prevention of account intrusions, including verifying an investor’s identity to prevent unauthorized account access 
  • Overseeing vendors and service providers 
  • Addressing malicious email activities such as phishing or account intrusions 
  • Responding to incidents, including those related to ransomware attacks 
  • Managing operational risk as a result of dispersed employees  

EXAMS will continue to focus on controls surrounding 

  • Online and mobile application access to investor account information 
  • Controls surrounding the electronic storage of books and PII maintained with third-party cloud service providers 
  • Firms’ policies and procedures to protect investor records and information 

At Agio, our teams of experts provide industry-leading solutions for extended detection and response (XDR), incident response, email threat detection, and phishing protection. We review and ensure your cybersecurity program meets your objectives (including those set by EXAMS).  

If you have questions or need an industry leader to get you in fighting shape, give us a call. We’re here to help you develop the programs and teams you need to continue to thrive now and in the future.