SEC Cybersecurity Guidance

SEC Cybersecurity Guidance2019-04-29T14:26:02+00:00

SEC Cybersecurity Guidance for Registered Investment Advisors

What is the cybersecurity guidance?

SEC Cybersecurity Guidance Main DocumentThe main document that outlines the SEC cybersecurity guidance (and the expectations from the OCIE) is the “OCIE’s 2015 Cybersecurity Examination Initiative.

This five-page document spells out 34 specific cybersecurity measures that each firm needs to address.

Additionally, the SEC has published a number of other pieces of cybersecurity-related guidance that you should consider, including:

Finally, there are also published guidelines around topics very closely related to cybersecurity, such as:

As with all regulatory matters, if you’re not sure which cybersecurity regulations apply to your RIA firm, consult with a qualified compliance attorney or compliance consultant.

Staying up to date on the latest SEC Cybersecurity Guidance

The best resources we’ve found to stay up to date on the latest cybersecurity guidance are:

1) Subscribe to the OCIE Announcements.

Head over to the Announcements page and enter your email address to get email notifications when a new piece of guidance is published.

OCIE Email Alerts for Announcements

2) Subscribe to updates from Lexology. 

The Lexology website hosts fantastic articles written by attorneys on a wide variety of topics.  Register for a free account, and they can send you daily or weekly email alerts.

We’ve found it’s best to sign up to get updates for the “IT & Data Protection” work area.

You’ll find the articles are helpful not only to read interpretation of the SEC’s guidance, but also to keep updated about other cybersecurity and privacy-related regulations that might impact your business.

Making sense of the Cybersecurity Guidance

Much of the decision-making process is left up to each individual registered investment advisor to decide what and how to address the guidance in their firm.

The devil is truly in the details — the guidance tells you WHAT to address, but not HOW to address it.

As part of our cybersecurity service for registered investment advisors, we’ve had an opportunity to see first-hand the areas where RIA’s tend to struggle.

As a result, we’ve published a number of topical guides that dive into the guidance and explore your options and make recommendations.

You can read these detailed guides here: