What Boards Need to Know About the SEC’s New Cybersecurity Request List
Cybersecurity oversight continues to challenge boards and now the SEC has updated their request list for cyber exams. This updated list combined with previously articulated SEC expectations, provides some directional help for boards as they navigate cybersecurity issues.
Before we explore the questions asked by the SEC in their request list there are some overall observations worth noting:
- The differences with prior exams are significant.
- The level of sophistication of the questions and the precision of the requested information has increased dramatically.
- The expectations of data availability, and timing of responses have greatly increased.
- The understanding of the issues by SEC personnel has significantly expanded.
- The SEC’s own data-gathering and analytic capabilities have become broader and more vibrant than ever before, and they are increasing.
The request list is divided into six overall categories:
- Governance and Risk Management
- Access Rights and Controls
- Data Loss Prevention
- Vendor Management
- Incident Response
Each category is replete with requests for information. Topics include policies and procedures, lists of access individuals and other identified categories of employees, employee hiring, training, control and supervision issues, questions relating to contractors, event logs, patch management, management and oversight of service providers, incident response plans and tests, and the minutes of meetings and briefing materials used with the adviser’s board.
Viewed as a whole, the request list brings seven existing areas into sharper focus:
- The overall environment of controls and supervision.
- The actual policies governing the cybersecurity environment.
- The tools used to control these matters including such topics as access controls, data integrity, and loss prevention.
- A focus on employees (and contractors) including onboarding, training, monitoring behavior, and departure procedures.
- A deep dive into service provider and vendor management issues.
- The incident response plan.
- Demonstration of written procedures, tests, and submissions to the relevant oversight board.
As detailed as these matters may be, they are not an exhaustive list by any measure. But, for the purposes of board oversight they can provide a focused discussion with management. Whether or not the SEC comes knocking, the exercise is a prudent one and sure to be informative.