Good Policies Are Not Enough: Reading Between the Lines of the SEC’s Security Guidance

Regulators think information governance is critical. You should, too.

T. Sean Kelly

May 21, 2020

5 Min Read
Good Policies Are Not Enough: Reading Between the Lines of the SEC’s Security Guidance
(Source: Photo by Pietro Jeng on Unsplash)

Earlier this year, the U.S. Securities and Exchange Commission (SEC) released its most substantial cybersecurity report to date, “Cybersecurity and Resiliency Observations.” Led by the commission’s Office of Compliance Inspections and Examinations (OCIE), the report sheds glaring light on the necessity of strong information governance (IG) practices—not just policies—in establishing and maintaining a resilient security posture.

The report includes specific guidance and recommendations based on five years of the OCIE’s research. In many ways, it reads like an examination pamphlet—outlining the essential security programs financial services institutions need to stand up against a government raid, inquiry, or investigation. While delivered in the context of security resiliency, the SEC’s guidelines are highly focused on the foundational principles of IG best practices. The most extensively and notably featured in the report include governance, access management, proactive data loss prevention (DLP), and mobile device management (MDM).

An overview of these areas, including the SEC’s comments around them, and best practices for aligning with the new guidance, is below.

Governance and risk assessment: Executive sponsorship and visible support for programs is priority number one. Without it, many initiatives will either fail to gain widespread traction within the organization and/or secure ongoing budget. With a culture of security established from the top-down, teams will be prepared for the often-daunting challenge of making change.

Establishing governance and assessing risk also includes an audit of existing policies and technologies, and determination of the company’s unique risk position. A data mapping exercise will help with the assessment and account for where sensitive information originates, how the data flows (upstream/downstream), and how it is stored. A holistic data map can inform where vulnerabilities exist, or where best practice protections, such as encryption and access controls, are lacking. 

Access rights and controls: Some of the most damaging data breaches in recent history have resulted from gaps in access control. The SEC breaks this down into three key areas: user access, access management, and access monitoring. This is another area where a data map is beneficial. It will help define the information landscape, and determine the users that do and do not require access to various systems or categories of data. Teams should setup workflows with HR to incorporate access management and monitoring that follows employees from onboarding, to position changes, to departure from the company, and updates their access rights accordingly. Sound access control also includes other baseline best practices, including multi-factor authentication and requiring strong and periodically changed passwords. 

Proactive DLP: The data loss prevention sphere includes many well-known security tools and practices, including endpoint security, patch management, encryption, and insider threat monitoring. What stood out as new in the SEC’s guidance was the reference to DLP in the affirmative sense. The report implies that DLP—and the range of tools and tactics that enable it—must be implemented proactively to prevent the loss of sensitive data, rather than reactively after data has already been exposed. 

Mobile security and device management: Most organizations, especially in the financial services industry, have had mobile security locked down for some time now. It remains an important element for a strong defense, and the SEC seems to agree. Organizations should look to improve their mobile security by putting MDM tools in place, and by ensuring their chosen tools have the capabilities to implement the controls defined in the company’s mobile use policy. This is one area where the SEC’s comments that a good policy is no longer enough really come to bear—a detailed mobile use policy is great, but it ultimately means nothing if the organization’s MDM tools can’t back it up. Having robust capabilities that align with the practical needs of the policy will also help teams deal with the all-too-common pinch on resources. A proper MDM solution will help quickly diagnose problems, pick up on anomalies, and automate policy enforcement without requiring significant hands-on time from the security team.

Third-party and vendor management: In some ways, an extension of access control, vendor management plays an important role in managing risk and preventing the exposure of sensitive data. The idea of responsible third-party management and auditing of vendors has gained recent momentum and has been a focal point in new data privacy laws, particularly the California Consumer Privacy Act. It’s telling that we’re now seeing the SEC acknowledge this area, and the expectation is that banks understand their partner relationships, build programs around them, and manage contractual terms with respect to data jurisdiction. This includes managing cloud service providers through routine monitoring and testing of how they are interacting with and protecting sensitive data. Now more than ever, it’s critical for organizations to stay abreast of changes to service agreements and ensure their vendors are consistently meeting security standards.

Training, awareness, and testing: Policies are only as good as the people following them. According to the SEC, change management, clear communication, training, awareness, and table-top testing must now be baked into governance and security programs. Teams should audit programs and training activities regularly to ensure the policies are followed, enforced, and effective.


The bar has been markedly raised in terms of SEC expectations around data security, and financial services institutions need to pivot accordingly. This may include an extensive audit of current programs, pressure testing of those programs, revisions to current policies, training initiatives, and new technology implementations. The good news is that the financial services industry now has a clear outline of how SEC views data security, and the regulator’s benchmarks for adequate, compliant measures.

About the Author(s)

T. Sean Kelly

T. Sean Kelly is a Senior Director at FTI Consulting and is based in Philadelphia. As a senior member of the Information Governance, Privacy & Security practice of FTI Technology, Sean leverages more than a decade of experience to advise clients on all aspects of information lifecycle management.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights