SEC Updates Document Request List for Cybersecurity Examinations

April 9, 2019 by ACA Aponix

The U.S. Security and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) recently updated the list of documents they typically request during investment adviser examinations which reflect their 2019 cyber exam focus areas.

A common theme is the monitoring of branch offices and investment adviser representatives for adoption and implementation of cybersecurity policies and procedures. Additionally, the SEC is seeking documentation regarding protection of client non-public information (NPI) related to governance, access controls, data loss prevention, vendor management, training, and incident response.

Key highlights from the updated document request list include:


  • Ownership percentages of firm and control persons, and of entities that are controlled by, or under common control with, the registered firm
  • Office locations and staffing, including the firm’s main office and branch offices, and the number of employee and investment adviser representatives
  • NPI data policies and procedures, specific to branch offices and investment advisory representatives
  • Privacy policy provided to clients
  • Non-compliance records related to cybersecurity policies and procedures, and any action taken as a result of such non-compliance
  • Annual or interim cybersecurity compliance reports or other documents regarding cybersecurity policy/procedure compliance review or testing
  • Compliance with Regulation S-ID, the SEC’s Identity Theft Red Flags Rule

Access Controls

  • Access control policies and procedures related to remote offices and investment advisory representatives, and any differences from the main office

Vendor Management

  • Cloud service provider engagement policies, procedures, and standards
  • Terminated vendors list

Incident Response

  • Incidents and breaches list

While the monitoring of branch offices and investment adviser representatives, as well as protection of client non-public information are heightened in focus, the SEC continues to demand a wide breadth of documentation pertaining to investment adviser cybersecurity preparedness. For example, detailed lists of all staffing, organization hierarchy, terminations, roles, vendors, response mitigation plans, as well as security policies and procedures are still required, as in previous years.

Interested in viewing or discussing the full document request list?

Request A Meeting

How ACA Can Help

ACA Aponix offers the following solutions that can help your firm meet SEC regulatory requirements and prepare for a cyber examination:

If you have any questions, please contact your ACA Aponix consultant or email us at