(Image: Shutterstock)

The Securities and Exchange Commission's exam division releasedon Monday a guide to best practices it's observed in exams tocombat cybersecurity infractions, data loss and privacybreaches.

In its 13-page Cybersecurity and Resiliency Observationsreport, the Office of Compliance Inspections and Examinationsdetails practices examiners have observed in the following areas:governance and risk management; access and controls, data lossprevention; mobile security; incident response and resiliency;vendor management; and training and awareness.

In sharing the staff observations, OCIE said that it encouragesmarket participants to review their practices, policies andprocedures with respect to cybersecurity and operationalresiliency.

"We believe that assessing your level of preparedness andimplementing some or all of the … measures will make yourorganization more secure," the report states.

"As markets, market participants, and their vendors haveincreasingly relied on technology, including digital connectionsand systems, cybersecurity risk management has become essential,"the report adds.

"Indeed, in an environment in which cyber threat actors arebecoming more aggressive and sophisticated — and in some cases arebacked by substantial resources including from nation state actors— firms participating in the securities markets, marketinfrastructure providers and vendors should all appropriatelymonitor, assess and manage their cybersecurity risk profiles,including their operational resiliency."

In the area of mobile security, for instance, "mobile devicesand applications may create additional and unique vulnerabilities,"the report notes.

OCIE has observed the following mobile security measures atorganizations utilizing mobile applications:

• Policies and procedures. Establishing policiesand procedures for the use of mobile devices.
• Managing the use of mobile devices. Using amobile device management (MDM) application or similar technologyfor an organization's business, including email communication,calendar, data storage and other activities. If using a "bring yourown device" policy, ensuring that the MDM solution works with allmobile phone/device operating systems.
• Implementing security measures. Requiring theuse of multi-factor authentication for all internal and externalusers. Taking steps to prevent printing, copying, pasting or savinginformation to personally owned computers, smartphones or tablets.Ensuring the ability to remotely clear data and content from adevice that belongs to a former employee or from a lostdevice.
• Training employees. Training employees onmobile device policies and effective practices to protect mobiledevices.