SEC OCIE Guidance on Cybersecurity

The U.S. Security and Exchange Commission’s Office of Compliance Inspections and Examinations has come out with a new guidance on cybersecurity.

Here is the money quote:

Effective cybersecurity programs start with the right tone at the top, with senior leaders who are committed to improving their organization’s cyber posture through working with others to understand, prioritize, communicate, and mitigate cybersecurity risks. While the effectiveness of any given cybersecurity program is fact-specific, we have observed that a key element of effective programs is the incorporation of a governance and risk manage- ment program that generally includes, among other things: (i) a risk assessment to identify, analyze, and prioritize cybersecurity risks to the organization; (ii) written cybersecurity policies and procedures to address those risks; and (iii) the effective implementation and enforcement of those policies and procedures.