The observations by the SEC are the latest in a string of moves by regulators and government agencies that demonstrate they are increasingly concerned about corporate cybersecurity practices.
The SEC’s listing of these practices comes less than a week after the National Security Agency published guidance on how companies should secure their cloud-based services. A number of points raised in that guidance are similar to what the SEC recommends, such as using multifactor authentication, maintaining patching programs and encrypting data traffic.
Raj Bakhru, chief innovation officer at New York-based ACA Compliance Group Holdings LLC, a consultancy and technology provider for financial firms said that although some areas that the SEC discusses are valuable, including advice on creating offline data backups, some of the more sophisticated tools and processes are out of reach for smaller companies.
“In some cases, they’re asking for big-bank control in a small hedge fund or private-equity shop. That’s not to say they shouldn’t be, but the industry is not where this document is,” he said.
In a section covering data loss, for instance, the SEC suggests that companies use systems that can detect and block data transmissions that contain sensitive information, such as Social Security or account numbers.
It also suggests rigorous controls for systems access, including the use of randomly generated passcodes for authenticating individuals, and removing access immediately when an employee leaves a company.
A person familiar with the SEC’s approach said the regulator doesn’t expect every company it regulates to implement all of the approaches it lists, and it understands that smaller firms face challenges with cybersecurity resources. While these aren’t necessarily what the SEC would consider best practices, the person said, they are among the better ones observed.
The SEC’s report is divided into areas including access and vendor management, incident response, mobile security, governance and risk management, employee training and data-loss prevention.
“We believe that assessing your level of preparedness and implementing some or all of [these] measures will make your organization more secure,” the report said.
Other areas in the report are largely in line with established regulatory areas of focus. Under vendor management, for instance, the SEC highlights that companies should have established procedures for terminating cloud service providers and other suppliers, in order to preserve data needed for regulatory compliance when moving from one provider to another.
The report also said that companies should clearly understand the risks related to vendor use of cloud-based services, and which party is responsible when for safeguarding sensitive information.
Financial regulators including the SEC, the Financial Industry Regulatory Authority and the National Futures Association recently flagged that they are focusing on cloud security during company audits.
Data-loss prevention is a primary focus of the SEC’s examinations. In 2019, the SEC sent a number of detailed surveys to registered investment advisers focusing on their cloud security arrangements.
Many advisers lacked the types of tools described by the SEC, particularly in terms of monitoring when sensitive information is transmitted, Mr. Bakhru said.
“Every single one of the advisers we know who were in that sweep was cited by the SEC for data-loss prevention,” he said.