Recently, there has been an increase in SEC Exam requests related to cybersecurity. Although the SEC has not yet announced a sweep exam, there appears to be a cybersecurity exam initiative underway. This is likely due to the recent surge in supply chain attacks and data breaches, as well as the continued reliance on technology following the COVID-19 pandemic.
In response to the increase in cyber-attacks, the SEC has established the Event and Emerging Risks Examination Team (EERT) that will focus on these exams and determine if firms are adequately prepared to address exigent security threats, security incidents, and increasing cyber-attack related risks by testing the firms’ compliance programs. Recent SEC Exam request lists are focusing on the following areas:
- Policies and procedures covering:
- Cyber and data security;
- Testing and documentation;
- Business continuity;
- Incident response;
- Encryption of data at rest and in motion;
- Data classification;
- Access management and review;
- Vendor and service provider management, including the implementation of a vendor due diligence program and documentation of vendor reviews;
- Cybersecurity monitoring and testing, including documentation of any exceptions related to the firm’s cybersecurity program; and
- Administration of comprehensive cybersecurity training, including phishing campaigns and employee training and testing.
WHAT DOES THIS MEAN FOR ME?
Firms should focus on developing and implementing a cyber and data security program that includes thorough documentation and testing, including those areas set forth above.
Policies and procedures should be reviewed and tested at least annually. Testing should include annual tabletop exercises to review incident response and business continuity plans.
Firms should also conduct annual penetration tests, frequent vulnerability scans, and review network monitoring reports regularly to remediate any gaps. Additionally, firms should develop a vendor management program, under which due diligence reviews will be conducted and approved.
Finally, firms should train and test employees on newly adopted policies to ensure all employees know and understand requirements for promoting cybersecurity in the workplace. Training programs should include mock phishing campaigns to ensure employees can identify potential phishing emails.
The SEC has become more sophisticated in reviewing adviser’s cybersecurity programs. This requires a team of cybersecurity and data privacy experts to support the firm in preparing and responding to technical exam questions.
Our affiliate, Fairview Cyber, can help your firm prepare and respond to cyber and data security focused exams, whether the requests are from the SEC or another regulatory body. Contact us today for information on these additional services.