SEC Cybersecurity Exam – 6 Areas Of Focus
The Office of Compliance Inspections and Examinations (OCIE) of The U.S. Securities and Exchange Commission (SEC) issued an Alert to provide guidance concerning the series of cybersecurity examinations it will be conducting. In the Alert, the OCIE stated that audits will involve more testing to assess implementation of procedures and controls around cybersecurity in six priority areas:
- Governance and Risk Assessment
- Incident Response
- Access Rights and Controls
- Data Loss Prevention
- Vendor Management
Let Us Help You Achieve Compliance
TBG Security consultants have been helping customers comply with State and Federal business and privacy regulations for more than a decade.
Working as either a full-service consultant, or as an adjunct to your in-house teams, TBG Security will execute our phased compliance readiness process to ensure that the business meets or exceeds your compliance requirements.
- Creating a comprehensive information security policy.
- Performing an audit to determine current level of regulatory compliance.
- Providing remediation for vulnerabilities detected on your systems.
- Advising your company on specific steps needed to achieve compliance.
- Deploying security infrastructure to encrypt email messages automatically.
- Encrypting your company’s laptops and other mobile devices.
- Securing your primary security infrastructure, including firewalls, VPN access, anti-phishing, and tools to protect against malicious code.
What if I Don’t Comply?
In light of the OCIE’s continued interest in promoting the Cybersecurity Examination Initiative, it would be prudent for broker-dealers and investment advisers to reflect on their cybersecurity policies and preparedness. We’ve already seen fines of $75,000 and higher for non-preparedness.
SEC Cybersecurity Exam Cheatsheet
Regulation type: Federal standards
Governing body: The Office of Compliance Inspections and Examinations (“OCIE”) of The U.S. Securities and Exchange Commission (“SEC”) (NYDFS)
The Alert: OCIE’s Cybersecurity Examination Initiative
Purpose: In light of recent cybersecurity breaches and continuing cybersecurity threats against financial services firms, the Cybersecurity Examination Initiative is designed to build on OCIE’s previous examinations in this area and further assess cybersecurity preparedness in the security industry.
The SEC will evaluate the design and effectiveness of an adviser’s compliance program with respect to its oversight of advisory services provided at its branch offices. In particular, through interviews and the review of advisory records, the staff will assess, among other things:
- Implementation of policies and procedures in the main and branch offices;
- Supervision structure, including an assessment of how such supervision is tailored to the unique risks in particular branches;
- Role and empowerment of compliance personnel charged with overseeing branch offices, including their level of access to documents and relevant information; and
- Accuracy of information on the adviser’s filings regarding branch offices, including Form ADV, as compared to actual practices.
Who must comply:
A variety of financial institutions including investment advisers, investment companies, broker-dealers, transfer agents, and private fund advisers.
Get In Touch
Want more information on SEC examinations? We’re here to help.