Compliance Solutions for Investment Advisers

SEC Cybersecurity Exam Requests

Cybersecurity seems to be all the rage with both SEC and state regulators. However, advisers have been flying blind as to what the regulators may actually request during a cybersecurity exam. Thanks to our contacts in the industry, we were able to obtain a list of cybersecurity-related information requested by the SEC during a recent exam of an investment adviser.

  1. Does the Registrant allow employees (or any person) to access any personal web-based e-mail accounts (e.g., Google, Yahoo Mail, Hotmail, etc.) from the firm’s networks? If no, what steps has the Registrant taken to block network access to personal e-mail?
  2. Does the Registrant allow employees (or any person) to use their personal e-mail for business purposes? If yes, what types of information are transmitted via web-based e-mail? Is web-based e-mail used for client communications?
  3. Does the Registrant use a web-based e-mail provider’s or its own server for e-mail? If the Registrant is using a web-based e-mail account does it have a business account with the provider?
  4. Please provide a copy of the terms of service agreement from each web-based e-mail provider that the Registrant is using.
  5. Does the Registrant maintain records of web-based e-mail communications? If so, how are the records maintained?
  6. Does compliance review web-based e-mail communications?
  7. Does the Registrant have any written policies and procedures to govern the access to/use of/maintenance of/review of web-based e-mail? If yes, please provide copies of the policies and procedures.
  8. Does the Registrant use any cloud-based storage (e.g., Dropbox, SkyDrive, Google Docs, etc.) for data backup or any other purpose? If so, please list the vendors used.
  9. Is the Registrant using a personal or business version of the cloud storage?
  10. Please provide a copy of the terms of service agreement from each cloud storage vendor that the Registrant is using.
  11. Does the Registrant have any written policies and procedures to govern the use of/access to cloud storage? If so, please provide copies of the policies and procedures.
  12. Has the Registrant every had any data breaches or any other cybersecurity issues (e.g., hacking incidents, ransomware, etc.)? If yes, please provide a timeline and describe the nature of the incident.
line