Author: Jamie Cahal

Cybersecurity has been a concern for market participants for quite some time and continues to remain on the SEC’s 2020 list of examination priorities. In January, the SEC Office of Compliance Inspections and Examinations (OCIE) released a publication on some of its cybersecurity observations in recent years and how to evaluate and further enhance cybersecurity programs, as well as increase operational resiliency.

The OCIE examined many market participants to gather these observations, including SEC-registered investment advisors, investment companies, and broker-dealers. The OCIE recommends that market participants review their cybersecurity program in the following key areas:

  1. Governance and Risk Management
  2. Access Rights and Controls
  3. Data Loss Prevention
  4. Mobile Security
  5. Incident Response and Resiliency
  6. Vendor Management
  7. Training and Awareness

Chairman of the SEC, Jay Clayton, recently stated, “Data systems are critical to the functioning of our markets and cybersecurity and resiliency are at the core of OCIE’s inspection efforts.” He continued, saying, “I commend OCIE for compiling and sharing these observations with the industry and the public and encourage market participants to incorporate this information into their cybersecurity assessments.”1

Based on these observations, there are a few questions that may serve as a starting point to review your own operations and cybersecurity plans:

Governance and Risk Management

Tone at the top can be a determining factor in how effective a cybersecurity program is. Is cybersecurity being prioritized and are risks being identified? Are you continually evaluating these risks?

Access Right and Controls

Understand who can access certain information in your systems. Are you managing user access? Are you monitoring this on a periodic basis?

Data Loss Prevention

In recent years, it’s been said that the world’s most valuable resource is no longer oil, but data.2 Are the right tools and processes in place to ensure that sensitive data is not lost or misused?

Mobile Security

Mobile device and application usage continue to grow. With that, additional cybersecurity vulnerabilities may be created. Do your policies and procedures mention the use of mobile devices? Are you managing employee mobile devices? Are you taking measures to ensure business information is not being saved on personal devices?

Incident Response and Resiliency

Cybersecurity breaches often only take minutes but can take months to discover. In the case of a cybersecurity breach, do you have an incident response plan in place? Have you designated employees with specific roles and responsibilities in the event of a cyber incident? In the case of a disruption, how can you continue to provide your core business services?

Vendor Management

Do you understand your vendor relationships and what access they have to certain systems or networks? Are you ensuring that your vendors are meeting your security requirements?

Training and Awareness

The first line of defense against cyber threats and attacks are the employees. Do you have consistent training and exercises in place? Are you continually updating your training and including exercises in your trainings?

How We Can Help

Cybersecurity threats continue to become more sophisticated and aggressive. Key Bridge Compliance can help you create and manage cybersecurity and operational resiliency plan by:

  • Working with you to create or update policies and procedures to mitigate cybersecurity risks and threats
  • Training employees on cybersecurity best practices
  • Developing risk assessments
  • Completing Third-Party Vendor Due Diligence

For questions, contact Key Bridge Compliance, LLC at or send us an email at

1Cybersecurity and Resiliency Observations

2 The Economist