Cybersecurity Requests in SEC Exams
May 30, 2023
What happened?
A current cyber sweep exam is underway by the Division of Examinations. The request list includes multiple items that align with proponents of the proposed cybersecurity rule, including;
- Hardware & software inventory
- Policies & procedures regarding electronic communication
- NPI storage & destruction
- Privacy or information security Incident documentation
- Mobile device management
- Risk assessment
In addition to the sweep exam, we are noticing an increase in cyber-related requests in routine examinations. Below is a sample of cyber-related requests we have seen.
- Cybersecurity Incidents – A list of all cybersecurity incidents or breaches that occurred during the Examination Period. If applicable, provide a description of each incident, including the date of occurrence; date discovered; whether the cybersecurity incident resulted in harm to investors; and whether the incident has been resolved, including a description of any remediation efforts undertaken in response.
- Electronic Communications – Please explain the steps taken by the Adviser to monitor, review, and retain electronic Communications related to the Adviser’s business. Electronic Communications include, but are not limited to, email, text messages, messaging apps, instant messages, Bloomberg messaging, and private messaging on social media sites.
- Please address the following:
- Whether supervised persons are permitted to use personal devices for firm business or are permitted to use any form of electronic Communication other than Adviser email accounts for business purposes;
- If so, what steps the Adviser takes to approve the use of such personal devices or additional means of electronic Communications; and
- What steps the Adviser takes to ensure that supervised persons only use approved means of electronic Communications to conduct firm-related business. Please also explain the Adviser’s policies on use of Dropbox, Google Drive, and other forms of cloud storage by supervised persons.
- Policies & Procedures – Provide a current copy of the Adviser’s privacy policy, regulation S-ID policy, and policies and procedures addressing, the following;
- Protection of client records and information;
- Penetration testing (include the date of the most recent test);
- Vulnerability scans (include the date of the most recent scan);
- Patch management;
- Training;
- Vendor management;
- Data loss prevention;
- Access rights;
- Incident response; and
- Verification of the authenticity of a client request to transfer funds.
- Insurance – Provide the Adviser’s insurance policy that addresses the response to cybersecurity incidents
- Training – Provide a list of training offered by the Adviser and / or third party vendor related to cybersecurity
- Vendor Management – Provide a list of vendors with access to the Adviser’s network, systems or data. Indicate whether the vendor is web or cloud based or a cybersecurity-related vendor. Provide the most recent due diligence questionnaire or report.
Next Steps:
Even though the proposed cybersecurity rule is pending, regulators are still focused on cybersecurity related topics, as evidenced by their recent risk alert and increase in cybersecurity exam requests. Firms should prepare ahead of the proposed rule’s adoption and for potential cyber-related exam requests.
The proposed amendments will require a significant amount of time and enhancement to existing cybersecurity practices. Fairview Cyber offers turnkey solutions that address SEC requirements for cybersecurity, and our team of regulatory experts are available to answer any questions you may have regarding the proposed rules. To learn more, visit our Cyber Solutions page or contact us if you’d like to speak to one of our regulatory experts.