In April 2014, OCIE announced that it would conduct examinations to identify cybersecurity risks and assess cybersecurity in our industry. In February 2015, OCIE gave us the findings of these examinations, including some of the legal, regulatory, and compliance issues associated with cybersecurity. OCIE announced in its 2015 Examination Priorities that there would be a focus on cybersecurity compliance and controls. In this new Risk Alert, OCIE is providing information on the areas of focus for the 2016 cybersecurity examinations, and testing to assess implementation of procedures and controls.
This initiative will focus on the following areas:
Governance and Risk Assessment Access Rights and Controls Data Loss Prevention Vendor Management Training Incident Response
assess whether you are periodically evaluating cybersecurity risks and whether controls in place are tailored to the business
assess the risk of failure to implement controls to prevent unauthorized access to systems or information such as updating access rights based on personnel or system changes
assess how firms monitor the volume of content transferred outside of the firm by employees or third parties such as vendors, and how you verify the authenticity of a client request to transfer funds
assess the risk of breaches due to the hacking of a third party vendor’s platform, and due diligence in the selection and monitoring of third party vendors
assess the proper training of employees and vendors, tailored to specific job functions and designed to encourage responsible employee and vendor behavior
assess whether you have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address future events or attacks on your system
Governance and Risk Assessment
Access Rights and Controls
Data Loss Prevention
Attached as an Appendix to the Risk Alert, is a sample list of information the examination staff may request on cybersecurity examinations. The sample request includes items from each of the six areas described above, and is fairly lengthy, so we suggest that you arrange to sit down with your IT staff or consultant and determine whether you have the ability to provide this information upon the Staff’s request, if so, how long it would take, and if not, what actions you can take. If the requested information is not obtainable, be prepared to explain that to the SEC.
We’re always gratified when the SEC is willing to let us know what they’re looking for in advance of an examination. Knowing that probably only 10% of the adviser population will be examined in any one year, is no guarantee that one of the firms examined will not be yours. It’s always wise to be prepared to the best of your ability, and if that’s not good enough, to be prepared with an explanation as to why. Please let us know if we can assist you in any way.
View the Risk Alert