04/11/2019

Don’t Let Your Cybersecurity Policy Slip

An important article shared by OSAE Member thinkCSC

By now, every Securities and Exchange Commission-registered investment advisor should have a written cybersecurity policy. That was the first piece of advice Cary Kvitka, our cyber-security legal expert, gave me in a recent update on the topic, which included a review of SEC oversight.

The SEC’s Office of Compliance Inspections and Examinations issued Risk Alerts in 2014 and 2015, identifying cybersecurity as a critical concern and describing the nature of upcoming cybersecurity-focused examinations. In the process, OCIE identified the types of information it would be requesting in those examinations. In September 2015, for example, it announced that the upcoming round of examinations would focus on:

• Governance and Risk Assessment, which generally evaluates whether advisors: 1) have cybersecurity governance and risk assessment processes to address OCIE’s stated focus areas, 2) are periodically evaluating cybersecurity risks, 3) have implemented cybersecurity infrastructure and risk assessment processes tailored to business operations, and 4) engage in communications to and from senior management.

Please select this link to read the complete article from ThinkAdvisor.