SEC Announces 2nd Round of Cybersecurity Exams

Posted by Andrew Borowiec on Oct 21, 2015 12:38:44 PM

The SEC announced it will conduct a second round of cybersecurity examinations and released a sample list of information that the Office of Compliance Inspections and Examinations may review in the context of conducting examinations.

Governance and Risk Assessment: Examiners may assess whether registrants have cybersecurity governance and risk assessment processes in the areas outlined below:

  • Access Rights and Controls: how firms control access to various systems and data via management of user credentials, authentication, and authorization methods.
  • Data Loss Prevention: how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads.
  • Vendor Management: firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms.
  • Training: how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior.
  • Incident Response: whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events.

Please click here for a link to the SEC’s release

Tags: Fund of Funds, HR Due Diligence, Policies and Procedures, Service Providers, Article, Business Continuity/Disaster Recovery, Education Articles, Fraud Risk and Irregularities, Hedge Funds, Private Equity, SEC Exams, Technology

Due diligence questions?

ASK AN EXPERT
Download IMDDA's Due Diligence Class Calendar