OCIE Publishes a Risk Alert Containing the Document Request List for Its 2015 Cybersecurity Examination Initiative
[29349]
September 16, 2015
TO: CHIEF INFORMATION SECURITY OFFICER ADVISORY COMMITTEECOMPLIANCE MEMBERS No. 26-15
TECHNOLOGY COMMITTEE No. 16-15 RE: OCIE PUBLISHES A RISK ALERT CONTAINING THE DOCUMENT REQUEST LIST FOR ITS 2015 CYBERSECURITY EXAMINATION INITIATIVE
As you may recall, in 2014, prior to commencing cybersecurity preparedness examinations pursuant to its National Examination Priorities, the SEC’s Office of Compliance Inspections and Examinations published a Risk Alert identifying the areas of focus for these reviews and included an Appendix listing the documents OCIE would be requesting in connection with them. [1] According to OCIE staff, the Risk Alert was intended to both alert registrants to the review and to enable those firms that were not visited as part of it to examine their own preparedness using the information in the Appendix. Subsequent to conducting its review, OCIE both published a Risk Alert summarizing its findings and announced its intent to do a second round of reviews that would expand the scope of areas reviewed by OCIE and look at these issues in greater detail. [2]
Yesterday, OCIE published a Risk Alert announcing it 2015 Cybersecurity Examination Initiative. [3] As with its April 2014 Risk Alert, the current Alert both announces the focus of these new reviews and the documents that OCIE expects to request in connection with them. According to this Risk Alert, these reviews will focus on the following areas:
- Governance and Risk Assessment
- Access Rights and Controls
- Data Loss Prevention
- Vendor Management and
- Training.
This Risk Alert includes an Appendix listing the documents the OCIE staff will be seeking in each of these areas.
We understand from members that these reviews have already begun.
Tamara K. Salmon
Associate General Counsel
endnotes
[1] See Launch of Cybersecurity Preparedness Exams, OCIE Risk Alert (April 15, 2014) and ICI Memorandum 28050, dated April 17, which summarized the Risk Alert.
[2] See Cybersecurity Examination Sweep Summary, OCIE Risk Alert (February 3, 2015) and ICI Memorandum 28707, dated February 3, 2015, which summarized the Risk Alert.
[3] See OCIE’s 2015 Cybersecurity Examination Initiative (September 15, 2015), available here: http://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf.