The US Securities and Exchange Commission’s Division of Examinations (DoE), formerly the Office of Compliance Inspections & Examinations (“OCIE”) is the second largest department of the SEC (after enforcement) and is charged with overseeing examinations of financial institutions, as part of it’s National Examinations Program. Charged with oversight of the US financial industry, the DoE’s mission is to “protect investors, ensure market integrity and support responsible capital formation through risk-focused strategies that: (1) improve compliance; (2) prevent fraud; (3) monitor risk; and (4) inform policy.”
While traditionally focused on financial fraud, the division has been stepping up both its guidance and focus on assessing the cyber resilience of investment and financial services firms. Due to their critical role in oversight and bellwether to investors, having an issue arise on a firm’s examination can have far reaching implications so organizations are highly encouraged to take proactive steps to avoid issues during examination.
In their latest report, the division states that “the seriousness of the threats and the potential consequences to investors, issuers, and other securities market participants, and the financial markets and economy more generally, are significant and increasing.” and lays out guidance for firms on what is expected.
What’s Expected
As advisory firm Mayer Brown points out in their summary of the SEC’s 2020 report, “effective cybersecurity programs start with the right tone at the top, with senior leaders who are committed to improving their entity’s cyber posture through working with others to understand, prioritize, communicate, and mitigate cybersecurity risks.” and the SEC expects firm leadership to be supportive of efforts to improve cyber resiliency.
In serious cases, failure by leadership to invest or act to achieve compliance and ensure cyber resiliency can result in sanctions and recently SEC has shown an increased willingness to sanction firms for deficient cyber security procedures.
Just last month, the SEC sanctioned eight firms – in which Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit, stated clearly:
“Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information. It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”
Adopting external attack surface management solutions is one proactive step organizations can take to demonstrate their commitment to not simply good cyber policy, but ensuring good security implementation.
The Top SEC Cyber Risks:
The SEC maintains a cyber spotlight page where they provide ongoing guidance and recommendations to firms on new or emerging threats. Topics of recent alerts include:
In their note on ransomware, the SEC called out the risk of exposing RDP to the internet and encouraged organizations to implement controls for auditing networks for systems using RDP.
How Organizations Can Use EASM to Improve Cyber Resiliency & Meet the SEC Cyber Expectations
To effectively manage cyber risk, you first need a solid handle on your attack surface. Unfortunately, it’s estimated that most firms only have visibility into 70% of the assets they have exposed to the internet. This results in unexpected “shadow risk” unknown to security or vulnerability management teams.
Ransomware actors and others have taken advantage of this gap, – resulting in RDP becoming the #1 source of ransomware infections and vulnerability exploitation surpassing phishing as the #1 source of security incidents. Gartner estimates that as a result, 1 in 3 breaches stem from “Shadow IT.”
External attack surface management solutions (EASM) help security teams achieve compliance by providing an ongoing assessment of an organization’s external-facing assets. Cloud-based and turnkey, ASM solutions provide an adversary’s assessment of an organization’s discoverable attack surface, enabling teams to better identify the likelihood and impact of an attack. Further, they continually monitor an organization’s attack surface by tracking and identifying changes in assets and risk over time. Setup is minimal, as there are no agents to deploy, and most organizations begin to see value within a matter of days.
When used properly, EASM provides an alternative perspective that teams can use to help confidently to answer questions SEC examiners are likely to have such as:
- How do you monitor what’s exposed?
- Do you have RDP exposed to the internet? How would you know?
- How do you ensure your external attack surface represents an acceptable level of risk?
- How do you monitor if the risk from your attack surface is growing or shrinking over time?
While EASM won’t solve all your cyber resiliency challenges, it can help ensure you’re not blind to the ones your adversaries will exploit and provide a powerful tool for monitoring and improving your existing efforts. After all, you probably know your attack surface better than your adversary — but the only way to know for sure is to ask.
Curious what we’d discover? Get started today for free with a 14-day trial of Randori Recon.
