The SEC's Office of Compliance Inspections and Examinations ("OCIE") recently published[1] additional information on the areas of focus for OCIE's second round of cybersecurity examinations of registered investment advisers and registered broker-dealers. SEC examiners will gather information on cybersecurity-related controls and procedures and will also test to assess implementation of certain firm controls and procedures, focusing on the following areas:

  • Governance and Risk Assessment - generally, policies and procedures related to the protection of client records/information and patch management practices (i.e., the development of a systematic and controlled process to update or "patch" vulnerabilities in existing software systems and applications); cybersecurity risk assessment processes; cybersecurity incident response planning.Access Rights and Controls - generally, policies and procedures designed to prevent unauthorized access to firm network resources and devices; restrictions on access to certain systems and data via management of user credential, authentication and authorization methods.
  • Data Loss Prevention - generally, policies and procedures related to enterprise data loss prevention, data classification, monitoring the transfer of sensitive information outside of the firm (whether authorized or unauthorized).
  • Vendor Management - generally, policies and procedures related to the use of third-party vendors; due diligence with regard to vendor selection, monitoring, oversight, contract terms and contingency plans.
  • Training - training provided to employees and third-party vendors regarding information security and risks.
  • Incident Response - generally, policies and procedures addressing mitigation of the effects of a cybersecurity attack; testing of an incident response plan; records of any cyber incidents.

OCIE included in the risk alert a sample request for information and documents that examiners will be using as part of the Cybersecurity Examination Initiative.