The Risk Alert includes a sample information and document request list that describes the various categories of detailed information that OCIE will potentially be seeking through its examinations. This disclosure by OCIE is intended to provide compliance professionals in the securities industry with questions and tools they can use to assess their firms’ level of preparedness. The sample information and document request list also can be used by a firm’s compliance department as a guide to track the firm’s cyber infrastructure, assess the firm’s cybersecurity risks and document, implement and monitor policies and procedures regarding identification, documentation, prioritization and mitigation of cyber risks. The sample request list suggests that all financial firms should, among various other measures:
- use an established framework to address cybersecurity;
- have written policies and procedures in place to manage information security assets, networks and information;
- conduct periodic risk assessments to identify physical cybersecurity threats and vulnerabilities;
- identify persons responsible for overseeing cybersecurity risks;
- implement a cybersecurity incident response policy; and
- maintain insurance that specifically covers losses and expenses attributable to cybersecurity incidents.
OCIE hopes that these examinations will identify areas where the SEC and the securities industry can work together to protect investors and capital markets from cybersecurity threats. Registered broker-dealers and investment advisers should review the information and document requests included in the Risk Alert and evaluate their existing cybersecurity policies and procedures. Financial firms should also prepare for OCIE’s greater scrutiny of their cybersecurity policies and procedures.