(Image: Shutterstock)
The Securities and Exchange Commission's (SEC's) exam division released on Monday a guide to best practices it's observed in exams to combat cybersecurity infractions, data loss, and privacy breaches.
In its 13-page Cybersecurity and Resiliency Observations report, the Office of Compliance Inspections and Examinations (OCIE) details practices examiners have observed in the following areas: governance and risk management, access and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness.
In sharing the staff observations, OCIE said that it encourages market participants to review their practices, policies, and procedures with respect to cybersecurity and operational resiliency.
"We believe that assessing your level of preparedness and implementing some or all of the … measures will make your organization more secure," the report states.
"As markets, market participants, and their vendors have increasingly relied on technology, including digital connections and systems, cybersecurity risk management has become essential," the report adds.
"Indeed, in an environment in which cyber threat actors are becoming more aggressive and sophisticated—and in some cases are backed by substantial resources including from nation-state actors—firms participating in the securities markets, market infrastructure providers, and vendors should all appropriately monitor, assess, and manage their cybersecurity risk profiles, including their operational resiliency."
In the area of mobile security, for instance, "mobile devices and applications may create additional and unique vulnerabilities," the report notes.
OCIE has observed the following mobile security measures at organizations utilizing mobile applications:
- Policies and procedures. Establishing policies and procedures for the use of mobile devices.
- Managing the use of mobile devices. Using a mobile device management (MDM) application or similar technology for an organization's business, including email communication, calendar, data storage, and other activities. If using a "bring your own device" policy, ensuring that the MDM solution works with all mobile phone/device operating systems.
- Implementing security measures. Requiring the use of multi-factor authentication for all internal and external users. Taking steps to prevent printing, copying, pasting, or saving information to personally owned computers, smartphones, or tablets. Ensuring the ability to remotely clear data and content from a device that belongs to a former employee or from a lost device.
- Training employees. Training employees on mobile device policies and effective practices to protect mobile devices.
From: ThinkAdvisor
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Melanie Waddell
Melanie is senior editor and Washington bureau chief of ThinkAdvisor. Her ThinkAdvisor coverage zeros in on how politics, policy, legislation and regulations affect the investment advisory space. Melanie’s coverage has been cited in various lawmakers’ reports, letters and bills, and in the Labor Department’s fiduciary rule in 2024. In 2019, Melanie received an Honorable Mention, Range of Work by a Single Author award from @Folio. Melanie joined Investment Advisor magazine as New York bureau chief in 2000. She has been a columnist since 2002. She started her career in Washington in 1994, covering financial issues at American Banker. Since 1997, Melanie has been covering investment-related issues, holding senior editorial positions at American Banker publications in both Washington and New York. Briefly, she was content chief for Internet Capital Group’s EFinancialWorld in New York and wrote freelance articles for Institutional Investor. Melanie holds a bachelor’s degree in English from Towson University. She interned at The Baltimore Sun and its suburban edition.
