The SEC announced it will conduct a second round of cybersecurity examinations and released a sample list of information that the Office of Compliance Inspections and Examinations may review in the context of conducting examinations.
Governance and Risk Assessment: Examiners may assess whether registrants have cybersecurity governance and risk assessment processes in the areas outlined below:
- Access Rights and Controls: how firms control access to various systems and data via management of user credentials, authentication, and authorization methods.
- Data Loss Prevention: how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads.
- Vendor Management: firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms.
- Training: how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior.
- Incident Response: whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events.
Please click here for a link to the SEC’s release