SEC Issues Risk Alert on Cybersecurity Initiative for Investment Advisers


On April 15, 2014, the Office of Compliance Inspections and Examinations of the Securities and Exchange Commission (the “SEC”) issued a Risk Alert regarding the SEC’s initiative to assess cybersecurity preparedness and threats in the securities industry, including examinations of more than 50 SEC-registered investment advisers and broker-dealers.

The full text of the Risk Alert is available here.

SEC-registered investment advisers should review the Risk Alert, assess their current level of preparedness for cybersecurity threats, and consider whether any changes need to be made to their current cybersecurity policies and procedures. The Risk Alert includes an appendix containing 28 sample information requests that the SEC may send to investment advisers as part of the SEC’s cybersecurity initiative.

In summary, the sample information requests in the Risk Alert appendix cover the following topics:

  1. cybersecurity governance, including the firm’s written information security policies, business continuity plan, and the identity of the firm’s Chief Information Security Officer;
  2. identification and assessment of cybersecurity risks, including the month, year, and frequency with which physical devices, software platforms, and networks are inventoried at the firm and detailed information regarding the firm’s periodic risk assessments;
  3. protection of networks and information, including whether the firm relies on any published cybersecurity risk management process standards and the practices and controls the firm utilizes to protect its networks;
  4. risks associated with remote customer access and funds transfer requests;
  5. risks associated with vendors and other third parties, including the policies and procedures the firm uses to assess cybersecurity risks of vendors and other third parties;
  6. detection of unauthorized activity; and
  7. experiences with certain cybersecurity threats.

The sample information requests in the Risk Alert also address compliance with the Identity Theft Red Flag Rules, which came into effect in 2013.  

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag LLP | Attorney Advertising

Written by:


Foley Hoag LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.