In hopes of better equipping companies in the face of mounting cyber threats, the compliance arm of the U.S. Securities and Exchange Commission released guidance on practices, policies, and procedures last week.

The SEC's Office of Compliance Inspections and Examinations (OCIE) released a report recapping the agency's Cybersecurity and Resiliency Observations last Monday. The agency claims it arrived on its findings through a series of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges, and other SEC parties.

Content wise, the document runs the gamut, covering the SEC's thoughts on governance and risk management, access rights, data loss prevention, mobile security, incident response, and so on.

With regards to data loss prevention, the SEC advises organizations to implement capabilities that can control, monitor, and inspect incoming and outgoing traffic - especially to email, cloud-based file sharing sites, and removeable media like USB sticks.

Solutions should also be able to detect threats on endpoints by leveraging both signature and behavioral capabilities, and encrypt data in motion and at rest.

To address malicious or negligence insiders, organizations should create a program designed to sniff out suspicious behavior, create rules to identify and block the transfer of sensitive data - like account numbers, social security numbers, trade information, and source code. All of these mechanisms should inform business operations as they relate to technology, the SEC advises.

Like its guidance on insider threats, the bulk of the remainder of the document is preventative in nature. It includes tips on developing a risk assessment program, establishing policies around mobile device usage, ensuring any third-party vendors use the appropriate safeguards, and rolling out cybersecurity training and awareness.

While it isn't imperative that organizations follow the recommendations, it is likely the guidance could factor into future SEC examinations. The release of the document also suggests the SEC could be carrying out more examinations and in turn, heavier enforcement, in 2020.

The SEC and OCIE alike are still hoping organizations will take the time to incorporate the guidance into their cybersecurity assessments.

“Through risk-targeted examinations in all five examination program areas, OCIE has observed a number of practices used to manage and combat cyber risk and to build operational resiliency,’ said Peter Driscoll, Director of OCIE.  “We felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cybersecurity practices.”

The SEC, like many government agencies of late, has taken cybersecurity more seriously over the last couple of years. It released some of its first guidance around cybersecurity risks in 2018, focusing on pre-incident public disclosure, board oversight, and data security incident disclosure.

It wasn't too long ago that the SEC was dealing with its own insider threat situation. Last fall, a former compliance officer with the SEC's Enforcement Division, Michael Cohn, was indicted by the Department of Justice after reportedly taking data from the agency to help him land a job at the firm he was investigating, GPB Capital Holdings.

“No one gets a pass for breaching the security of government computer networks and misusing sensitive and confidential information for their own benefit,” Richard Donoghue, the U.S. Attorney who announced the charges, said at the time.

Securities and Exchange Commission photo via glass_window's Flickr photostream, Creative Commons