Data Security

SEC Releases InfoSec “Roadmap” for GLBA Entities

Published: Feb. 03, 2020

Updated: Oct. 05, 2020

The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) has released a new report, entitled Cybersecurity and Resiliency Observations, which stands as their most detailed and comprehensive information security guidance to date. Companies supervised by OCIE may want to consider the report to be an information security “benchmark,” as it amounts to a kind of roadmap for navigating the SEC’s supervisory expectations for cybersecurity programs.

Although cybersecurity has long been an area of concern for the agency, the latest report demonstrates a new level of sophistication and technical fluency for OCIE. Much of the guidance adds significant detail to some of OCIE’s previous recommendations (e.g., asset management; identity management; awareness and training; operational resilience), while some of the recommendations are almost entirely new.

SEC OCIE Cybersecurity and Resiliency Observations

OCIE Risk Alert History:

05/23/2019Safeguarding Customer Records and Information in Network Storage

08/07/2017Observations From Cybersecurity Examinations

09/15/2015OCIE’s 2015 Cybersecurity Examination Initiative


The report identifies best practices that OCIE has identified across seven categories of controls, including governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. Here are some of the ways the report reflects OCIE’s evolving views on cybersecurity preparedness:

  • Mobile Security – OCIE devotes an entire section of the report to mobile security and lists several ways in which organizations can ensure that they adequately address mobile devices’ unique vulnerabilities. In addition to crafting policies for the use of mobile devices, for example, the report recommends using mobile device management software and requiring all internal and external users to utilize multi-factor authentication.
  • Incident Response Considerations – OCIE’s previous guidance stressed the importance of having an incident response plan, but the new report includes specific considerations such as addressing applicable reporting requirements, developing a communication strategy for various stakeholders, and delegating particular roles for employees to take on in the event of a cyber incident.
  • Contextual Data Protection – Although the report cites to techniques OCIE has identified before—such as conducting vulnerability scans and implementing a patch management program—it addresses data protection in new and notable contexts, such as developing an insider threat monitoring program and creating a system for ensuring that legacy hardware and software do not create vulnerabilities when decommissioned.

The issuance of comprehensive guidelines, as well as the fact that information security is once again on OCIE’s list of examination priorities this year, should indicate to financial firms that the SEC has increasingly stringent expectations on this subject. Entities under OCIE’s supervision should consider developing and finessing their cybersecurity strategies accordingly.