OCIE’s 2015 Cybersecurity Examination Initiative

On September 15, 2015 the SEC dropped the above named Risk Alert, but really it’s a wake-up call for us to focus on cybersecurity issues in Fiscal Year 2016, which for the SEC, starts October 1, 2015.

In April 2014, OCIE announced that it would conduct examinations to identify cybersecurity risks and assess cybersecurity in our industry. In February 2015, OCIE gave us the findings of these examinations, including some of the legal, regulatory, and compliance issues associated with cybersecurity. OCIE announced in its 2015 Examination Priorities that there would be a focus on cybersecurity compliance and controls. In this new Risk Alert, OCIE is providing information on the areas of focus for the 2016 cybersecurity examinations, and testing to assess implementation of procedures and controls.

This initiative will focus on the following areas:

Governance and Risk Assessment
assess whether you are periodically evaluating cybersecurity risks and whether controls in place are tailored to the business

Access Rights and Controls
assess the risk of failure to implement controls to prevent unauthorized access to systems or information such as updating access rights based on personnel or system changes

Data Loss Prevention
assess how firms monitor the volume of content transferred outside of the firm by employees or third parties such as vendors, and how you verify the authenticity of a client request to transfer funds

Vendor Management
assess the risk of breaches due to the hacking of a third party vendor’s platform, and due diligence in the selection and monitoring of third party vendors

assess the proper training of employees and vendors, tailored to specific job functions and designed to encourage responsible employee and vendor behavior

Incident Response
assess whether you have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address future events or attacks on your system

Attached as an Appendix to the Risk Alert, is a sample list of information the examination staff may request on cybersecurity examinations. The sample request includes items from each of the six areas described above, and is fairly lengthy, so we suggest that you arrange to sit down with your IT staff or consultant and determine whether you have the ability to provide this information upon the Staff’s request, if so, how long it would take, and if not, what actions you can take. If the requested information is not obtainable, be prepared to explain that to the SEC.

We’re always gratified when the SEC is willing to let us know what they’re looking for in advance of an examination. Knowing that probably only 10% of the adviser population will be examined in any one year, is no guarantee that one of the firms examined will not be yours. It’s always wise to be prepared to the best of your ability, and if that’s not good enough, to be prepared with an explanation as to why. Please let us know if we can assist you in any way.


View the Risk Alert



One Response to “OCIE’s 2015 Cybersecurity Examination Initiative”

  1. First-Ever Cybersecurity Enforcement Action! - Focus 1 Associates LLC

    […] incidents. This case demonstrates the seriousness of the issue, specifically in light of the recent Risk Alert from OCIE on this same […]

Comments are closed.