On January 27, 2020, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) released its report on cybersecurity and operational resiliency practices that OCIE has observed in its examinations of thousands of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants. Although the report doesn’t specifically focus on municipal issuers and obligated persons, the practices discussed in the report represent key elements of effective IT security programs that are highly relevant to everyone.

The report discusses best cybersecurity practices in the following areas:

  • Governance and Risk Management, including a risk assessment; written cybersecurity policies and procedures; and effective implementation and enforcement of such policies and procedures.

  • Access Rights and Controls, including limiting access to sensitive systems and data; recertifying users’ access rights on a periodic basis; requiring strong and periodically changed passwords; and revoking system access immediately for individuals no longer employed by the organization, including former contractors.

  • Data Loss Prevention, including vulnerability scanning; preventing unauthorized or harmful network traffic; and implementing the ability to detect incoming fraudulent communications.

  • Mobile Security, including using mobile device management technology; and requiring the use of multi-factor authentication for all internal and external users.

  • Incident Response and Resiliency, including developing a risk-assessed incident response plan for various scenarios such as denial of service attacks, malicious disinformation and ransomware; addressing applicable reporting requirements for cyber incidents; determining which systems and processes can be substituted during disruption so that business services can continue to be delivered; and maintaining back-up data in a different network and offline.

  • Vendor Management, including establishing a vendor management program to ensure vendors meet security requirements; and monitoring vendor relationships to ensure that the vendor continues to meet security requirements.

  • Training and Awareness, including providing examples and exercises in trainings to help employees identify and respond to possible breaches or suspicious behavior.

Ransomware attacks specifically targeting governments and school districts have increased dramatically in the past few years. School districts may be particularly vulnerable because they tend to have smaller IT staff, older systems and less cybersecurity expertise. See Hackers’ Latest Target: School Districts, The New York Times July 28, 2019; School Districts Remain Vulnerable to Cyber Attacks, Security Boulevard, October 3, 2019. In addition to the well known 2018 ransomware attack on the City of Atlanta, in 2019 hackers attacked the Georgia state court system, the Georgia Department of Public Safety, the Henry County government, and the Lawrenceville Police Department.  Issuers are encouraged to evaluate their IT security programs and incorporate best practices observed in the OCIE report.

Click here to read the full OCIE report.