On Jan. 27, the Securities and Exchange Commission (SEC), Office of Compliance Inspections and Examinations (OCIE) issued a report titled “Cybersecurity and Resiliency Observations.” The report provides observations about practices that financial institutions such as broker-dealers, investment advisers, clearing houses and other SEC-registered entities are utilizing to protect against cybersecurity threats. These insights are the byproduct of thousands of examinations performed by the OCIE. The report groups the practices observed into seven categories: governance and risk-management programs; access rights and controls; data loss prevention; mobile security; incident response and resiliency; vendor management; and training and awareness. As to the report’s purpose, OCIE states that its observations about these practice areas are being offered “to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency.” In other words, all registered entities and public companies should consider the best practices observed by OCIE for their cybersecurity programs.

While having no legal force and effect, all public companies, even non-SEC registrants, would be wise to consider making the observed practices part of their own cybersecurity risk management strategy as the report may be relied upon in enforcement proceedings or by plaintiff’s counsel in private securities litigation. The report should not be viewed in a vacuum either. It is recent commentary but not the only guidance issued from the SEC regarding cybersecurity related industry practices. Another well-known body of guidance issued by the SEC concerns disclosures required in registration statements related to both “cybersecurity risks and cyber incidents.” This disclosure guidance was originally issued by the SEC, Division of Corporation Finance on Oct. 13, 2011, after it determined “that it would be beneficial to provide guidance that assists registrants in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant’s specific facts and circumstances.” On Feb. 21, 2018, the SEC issued interpretive guidance to update and reinforce the guidance issued in 2011. Notably, the 2018 guidance, among other things, stressed the importance of maintaining “comprehensive policies and procedures related to cybersecurity risks and incidents.”