The SEC’s 2018 Cyber Exam Focus Areas — What You Need to Know

March 1, 2018 by Askari Foy

The SEC’s 2018 Cyber Exam Focus Areas — What You Need to Know

Cybersecurity has been a top focus area for the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) for the past several years. On February 7, the SEC named cybersecurity as a top examination priority for 2018. And in September 2017, the SEC’s Division of Enforcement announced the formation of its cyber unit to focus on cybersecurity issues.

The SEC’s continued focus on cybersecurity is no surprise given the severe effect cyber incidents can have on firms, investors, and the operations of the securities markets.

What Your Firm Needs to Know

As part of the its 2018 examination priorities, the SEC announced the following six focus areas for 2018 cyber exams — here’s what your firm needs to know, and what you can do to prepare:

  1. Governance – Your firm should address the SEC’s cyber focus areas as part of your written cybersecurity policies and procedures. This includes demonstrating how cybersecurity threats are identified, managed, documented, and reported; how cybersecurity roles and accountability are assigned; and how your firm’s leadership implements cybersecurity governance.
  2. Access Rights and Controls – To prevent unauthorized access of network resources and devices, the SEC expects your firm to implement security tools that restrict user access according to job function, as well as conduct access reviews for employees and vendors.
  3. Data Loss Prevention – Your firm should implement security measures designed to combat the loss of sensitive enterprise data such as non-public personally identifiable information and shareholder data. These security measures should strengthen your firm’s ability to identify, monitor, and protect data at rest, in use, and in motion.
  4. Vendor Management – Vendors are entrusted with sensitive data, and the SEC expects firms to perform due diligence on third parties, consider contract requirements, determine vendor risk ranking criteria, and conduct ongoing oversight. – GDPR requires firms to undertake a holistic risk assessment across your organization to fully consider the key risk areas relating to the processing of personal data. In addition, your firm should review and update your existing privacy and information security policies and procedures for alignment with your firm’s GDPR requirements.
  5. Incident Response – Your firm must have an incident response plan in place to address potential cybersecurity incidents. This includes timely detection of the incident, properly disclosing information, and taking appropriate corrective actions.

  6. Training – Periodic cybersecurity awareness training is mandatory for all employees and contractors. Advisers must maintain evidence of the training performed, topics covered, and list of employees that participated.

How ACA Aponix Can Help

ACA Aponix can help your firm meet its regulatory obligations and prepare for 2018 cyber examinations. Our regulatory cybersecurity services include:

  • Cybersecurity and Technology Risk Assessments – We can help determine if your firm’s business processes and system or network configurations could expose your business to cyber threats.
  • Mock Regulatory Cybersecurity Exams - We can help your firm address current and emerging cybersecurity risks and prepare for an actual cybersecurity examination by reviewing your firm’s cybersecurity program from a regulator’s perspective.


For an overview of 2018 SEC exam priorities and focus areas for investment companies, view our webcast available on demand.

About the Author

Askari Foy is a Managing Director overseeing ACA Aponix's Global Regulatory Cybersecurity Practice. He recently joined ACA after serving for over 13 years with the U.S. Securities and Exchange Commission (“SEC”), where he was most recently Associate Director and Head of the National Technology Controls Program (“TCP”) with the SEC’s Office of Compliance Inspections and Examinations (“OCIE”). TCP conducts cybersecurity examinations of registered investment advisers, broker-dealers, national securities exchanges, clearing agencies, automated trading systems, and self-regulatory organizations to ensure compliance with federal securities laws. As head of the TCP, Askari developed and implemented cybersecurity risk-based examination and surveillance strategies that promoted the importance of cybersecurity and IT Governance structure among SEC registrants. Askari was also a contributor to the implementation of Regulation SCI, which focuses on critical market infrastructure and is used as a guideline for investment adviser and broker-dealer examinations.