Cybersecurity oversight continues to challenge boards and now the SEC has updated their request list for cyber exams. This updated list combined with previously articulated SEC expectations, provides some directional help for boards as they navigate cybersecurity issues.
Before we explore the questions asked by the SEC in their request list there are some overall observations worth noting:
- The differences with prior exams are significant.
- The level of sophistication of the questions and the precision of the requested information has increased dramatically.
- The expectations of data availability, and timing of responses have greatly increased.
- The understanding of the issues by SEC personnel has significantly expanded.
- The SEC’s own data-gathering and analytic capabilities have become broader and more vibrant than ever before, and they are increasing.
The request list is divided into six overall categories:
- Governance and Risk Management
- Access Rights and Controls
- Data Loss Prevention
- Vendor Management
- Incident Response
Each category is replete with requests for information. Topics include policies and procedures, lists of access individuals and other identified categories of employees, employee hiring, training, control and supervision issues, questions relating to contractors, event logs, patch management, management and oversight of service providers, incident response plans and tests, and the minutes of meetings and briefing materials used with the adviser’s board.
Viewed as a whole, the request list brings seven existing areas into sharper focus:
- The overall environment of controls and supervision.
- The actual policies governing the cybersecurity environment.
- The tools used to control these matters including such topics as access controls, data integrity, and loss prevention.
- A focus on employees (and contractors) including onboarding, training, monitoring behavior, and departure procedures.
- A deep dive into service provider and vendor management issues.
- The incident response plan.
- Demonstration of written procedures, tests, and submissions to the relevant oversight board.
As detailed as these matters may be, they are not an exhaustive list by any measure. But, for the purposes of board oversight they can provide a focused discussion with management. Whether or not the SEC comes knocking, the exercise is a prudent one and sure to be informative.
How ACA Can Help
For insight on how to build a framework for cybersecurity oversight, download our white paper Board Oversight of Cybersecurity...In Search of the Rosetta Stone.
About the Author
James P. Pappas is a Managing Director responsible for ACA’s board services practice which assists boards exercise oversight and business judgement. Jim has had senior roles in the investment industry and has served as a director of a mutual fund family and as a trustee of a public university foundation since 1998, currently serving as Chair of its Governance and Audit Committee.
Jim began his career as a corporate lawyer at Shearman & Sterling. He holds a JD, with honors, from Syracuse Law School and a BA, with honors, from the University of Massachusetts, Amherst.