What Boards Need to Know About the SEC’s New Cybersecurity Request List

April 15, 2019 by ACA Compliance Group


Cybersecurity oversight continues to challenge boards and now the SEC has updated their request list for cyber exams. This updated list combined with previously articulated SEC expectations, provides some directional help for boards as they navigate cybersecurity issues. 

Overall Observations

Before we explore the questions asked by the SEC in their request list there are some overall observations worth noting:

  • The differences with prior exams are significant. 
  • The level of sophistication of the questions and the precision of the requested information has increased dramatically.
  • The expectations of data availability, and timing of responses have greatly increased.
  • The understanding of the issues by SEC personnel has significantly expanded.
  • The SEC’s own data-gathering and analytic capabilities have become broader and more vibrant than ever before, and they are increasing.  

Request Specifics

The request list is divided into six overall categories:  

  • Governance and Risk Management
  • Access Rights and Controls
  • Data Loss Prevention
  • Vendor Management
  • Training
  • Incident Response   

Each category is replete with requests for information. Topics include policies and procedures, lists of access individuals and other identified categories of employees, employee hiring, training, control and supervision issues, questions relating to contractors, event logs, patch management, management and oversight of service providers, incident response plans and tests, and the minutes of meetings and briefing materials used with the adviser’s board. 

Core Areas

Viewed as a whole, the request list brings seven existing areas into sharper focus: 

  1. The overall environment of controls and supervision. 
  2. The actual policies governing the cybersecurity environment. 
  3. The tools used to control these matters including such topics as access controls, data integrity, and loss prevention. 
  4. A focus on employees (and contractors) including onboarding, training, monitoring behavior, and departure procedures. 
  5. A deep dive into service provider and vendor management issues. 
  6. The incident response plan. 
  7. Demonstration of written procedures, tests, and submissions to the relevant oversight board.     

Conclusion

As detailed as these matters may be, they are not an exhaustive list by any measure. But, for the purposes of board oversight they can provide a focused discussion with management. Whether or not the SEC comes knocking, the exercise is a prudent one and sure to be informative.     

How ACA Can Help 

For insight on how to build a framework for cybersecurity oversight, download our white paper Board Oversight of Cybersecurity...In Search of the Rosetta Stone.

ACA Compliance Group offers a range of services to support Directors. Learn more about our solutions here

About the Author

James P. Pappas is a Managing Director responsible for ACA’s board services practice which assists boards exercise oversight and business judgement. Jim has had senior roles in the investment industry and has served as a director of a mutual fund family and as a trustee of a public university foundation since 1998, currently serving as Chair of its Governance and Audit Committee.

Jim began his career as a corporate lawyer at Shearman & Sterling. He holds a JD, with honors, from Syracuse Law School and a BA, with honors, from the University of Massachusetts, Amherst.