As evidenced by releases from various Divisions within the SEC, including the Division of Investment Management’s Guidance Update No. 2015-02 released in April of this year, issues of cybersecurity continue to be a focus of the SEC. The most recent example of this focus came earlier this week in the form of a new National Exam Program (NEP) Risk Alert issued by the SEC’s Office of Compliance Inspections and Examinations (OCIE) Sept. 15. In addition to the matters discussed below, the Risk Alert contains links to several earlier Commission and OCIE materials, including to the March 2014 SEC Cybersecurity roundtable, past NEP cybersecurity-related releases, and the 2015 SEC examination priorities.
The stated purpose of the OCIE Risk Alert is “to provide additional information on the areas of focus for OCIE’s second round of cybersecurity examinations, which will involve more testing to assess implementation of firm procedures and controls.” Specifically, the Risk Alert identifies the following six key areas of focus of OCIE’s examination staff: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response. The Risk Alert also provides a sample document request, intended to assist regulated entities in assessing their own cybersecurity programs.
A firm’s cybersecurity program, by its nature, requires ongoing review and evaluation, and it is clear from the Risk Alert that OCIE and its exam staff expects senior management and boards of directors to be involved in this process. The release of the OCIE Risk Alert provides firms with a good opportunity to reevaluate their current cybersecurity program, and the six identified areas of focus highlight crucial elements of any cybersecurity program. Further, while not an exhaustive list, the sample document request provides a roadmap to the steps, processes, and documents that a regulated firm should consider in the implementation and maintenance of its cybersecurity program.