OCIE’s 2015 Cybersecurity Examination Initiative

Foley Hoag LLP

Second Round of Cybersecurity Examinations to Begin

On September 15, 2015, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) issued a Risk Alert announcing a second round of examinations of registered investment advisers and broker-dealers under its cybersecurity examination initiative. The Risk Alert’s purpose is to provide additional information on the areas of focus for the OCIE’s examinations, which will involve more testing to assess implementation of firm procedures and controls.

Registered investment advisers should review their current cybersecurity practices, policies and procedures to ensure that they have addressed the matters referred to in the sample request for information which is included as an Appendix to the Risk Alert and consult with their IT service providers, as appropriate. They will likely be asked to provide this information on an SEC examination.

In summary, the OCIE is planning to assess the following key areas:

  • Governance and Risk Assessment: protection of client information procedures, board minutes and briefing materials regarding cybersecurity, Chief Information Security Officer position, organizational structure, periodic testing and risk assessment for cybersecurity-related matters.
  • Access Rights and Controls: how firms control onsite and offsite access to various systems and data, including the management of user credentials, authentication, and authorization methods.
  • Data Loss Prevention: how firms monitor outbound communication and data transferred by employees or third parties.
  • Vendor Management: how firms conduct diligence and monitor downstream compliance controls of third-party vendors, and contingency planning.
  • Training: how firms train employees and third-party vendors on data security and data breach prevention measures.
  • Incident Response: whether firms have established proper protocols to prevent and/or respond to cybersecurity attacks, including developing plans to assess system vulnerabilities and to address possible future incident and cybersecurity insurance.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag LLP | Attorney Advertising

Written by:

Foley Hoag LLP

Foley Hoag LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.