Board Considerations on Cybersecurity Exams

According to a  recent alert from consulting firm ACA Compliance Group, the SEC’s Office of Compliance Inspections and Examinations recently updated the list of documents they typically request during adviser examinations based on their 2019 cyber exam focus areas. ACA’s observations may be helpful to boards as they consider OCIE’s current lines of inquiry into firms’ cybersecurity programs. ACA Compliance in its report found: OCIE’s current exams are significantly different from prior exams; dramatically increased sophistication in OCIE’s questions and precision of the requested information; and the SEC’s data-gathering and analytic capabilities have become broader and more vibrant.  ACA Compliance highlights several oversight areas and queries for boards to pursue with management, including: the overall environment of controls and supervision; the policies governing the cybersecurity environment; the tools used to control these matters including access controls, data integrity, and loss prevention; a focus on employees (and contractors) including onboarding, training, monitoring behavior, and departure procedures; and service provider and vendor management issues. ACA Compliance also recently released a white paper, Board Oversight of Cybersecurity...In Search of the Rosetta Stone, that provides insights on how to build a framework for cybersecurity oversight.