SEC Cyber Risk Guidance Update: Risk Assessment Requirements

By Mary Beth Hamilton | Thursday, June 4th, 2015

We are excited to release the first in Eze Castle Integration's three part SEC Cybersecurity Guidance Update video series.

In case you missed it, in April 2015 the SEC issued a Guidance Update on Cybersecurity Risks and Expectations for registered investment companies and registered investment advisers. The three point guidance update addresses the need for Cybersecurity Assessments, Strategy and Written Policies plus Procedures.

So to get you up to speed quickly, we’ve created this video series. In this first (90 second) video we cover SEC cybersecurity guidance around conducting periodic risk assessments. Watch Part 2: Prevent, Detect & Respond HERE and Part 3.

Recapping SEC Cyber Risk Guidance on Assessments

In case you prefer to read, here are some key cyber risk assessment takeaways:

Define what confidential data is and determine how it's protected.
You must also understand where your data is located, how it is collected and who and what technology systems have access to it.
Registered investment advisers should have a clear understanding of the threat landscape, including potential internal and external risks as well as unique vulnerabilities specific to the firm. Evaluate a variety of potential scenarios as well as their likelihood to occur.
Once firms understand the risks facing their organization, they must conduct assessments of the existing controls and processes to ensure they account for the risk landscape and put the appropriate safeguards in place.
Be sure to understand the potential impacts of various cyber risk scenarios and outline specific protocols for incident response and quick resolution. The impact of cybersecurity incidents can range from financial to technological to reputational.
Finally, testing and assessing the governance structure, including administrative and technical safeguards, is key to ensuring effectiveness.