The SEC's Office of Compliance Inspections and Examinations ("OCIE") recently published additional information on the areas of focus for OCIE's second round of cybersecurity examinations of registered investment advisers and registered broker-dealers. SEC examiners will gather information on cybersecurity-related controls and procedures and will also test to assess implementation of certain firm controls and procedures, focusing on the following areas:
- Governance and Risk Assessment - generally, policies and procedures related to the protection of client records/information and patch management practices (i.e., the development of a systematic and controlled process to update or "patch" vulnerabilities in existing software systems and applications); cybersecurity risk assessment processes; cybersecurity incident response planning.Access Rights and Controls - generally, policies and procedures designed to prevent unauthorized access to firm network resources and devices; restrictions on access to certain systems and data via management of user credential, authentication and authorization methods.
- Data Loss Prevention - generally, policies and procedures related to enterprise data loss prevention, data classification, monitoring the transfer of sensitive information outside of the firm (whether authorized or unauthorized).
- Vendor Management - generally, policies and procedures related to the use of third-party vendors; due diligence with regard to vendor selection, monitoring, oversight, contract terms and contingency plans.
- Training - training provided to employees and third-party vendors regarding information security and risks.
- Incident Response - generally, policies and procedures addressing mitigation of the effects of a cybersecurity attack; testing of an incident response plan; records of any cyber incidents.
OCIE included in the risk alert a sample request for information and documents that examiners will be using as part of the Cybersecurity Examination Initiative.