OCIE Cybersecurity Update for Market Participants
Articles by: Richey May, Feb 18, 2020
On January 27th, the Office of Compliance Inspections and Examinations released an updated report on the requirements and industry best practices that market participants should be following in order to reduce their overall cybersecurity risk. Our team of cybersecurity experts have highlighted important factors from the OCIE report below.
Similar to other state-level requirements such as NYDFS.NYCRR.500 – the OCIE is recommending:
Senior Level Engagement
The board and senior leadership of the market participant should have visibility and insight into the overall cybersecurity strategy and state of cybersecurity within the company. This includes the completion of an annual enterprise risk assessment and periodic security testing such as penetration testing, vulnerability scanning, and reporting on vulnerabilities and improvements required to increase the maturity of the cybersecurity program.
Annual documentation and review of policies and procedures
Policies and procedures should be documented and reviewed annually. This includes the development of formal incident response and disaster recovery procedures. These resiliency plans should be tested annually.
Need to Know Data Limitations
OCIE is recommending that companies limit access to data and systems on a “need to know” basis.
Use Multi-Factor Authentication
MFA should be used where possible for all internal and external users.
Monitor System Access
Access to all systems, especially sensitive systems, should be logged and monitored.
Conduct Vulnerability Scans
Firms should conduct periodic vulnerability scans across their internal and external environments.
Protect Your Data
Data Loss Prevention (DLP) and Cloud Security Access Broker (CASB) should be used to ensure sensitive content is filtered, monitored and protected.
Monitor Malicious Behavior
Endpoint security should monitor for malicious behavior. Tools like MDR and EDR should be considered over more traditional Anti-Virus.
Understand and manage your assets
Asset management is critical, this includes understanding where data is stored and used while ensuring all systems are patched and kept up to date. Both company-owned and personal mobile devices should be monitored and secured using an MDM solution.
Periodic cybersecurity training should be conducted.
It is important to establish a vendor management system as third-party vendors must also be vetted for their cybersecurity posture. If you are using a vendor to manage your data or cybersecurity initiatives, it is important that you ensure the appropriate safeguards have been implemented on their end. High risk and critical vendors should be reviewed annually.
For more details about these best practices and OCIE observations for your company, read the OCIE report in its entirety.