skip to main content

Recognized as one of the most active and highly regarded investment management practices in the United States, our group represents all types of asset managers across the liquidity spectrum, including private equity funds, credit funds, hedge funds, venture capital funds, real estate funds, hybrid funds and family offices. We have successfully raised hundreds of billions of dollars for our clients, who benefit from our extensive market knowledge, industry-leading networking events and strong relationships with all major market participants. 

OCIE Issues Additional Information on Cybersecurity Examination Initiative

September 17, 2015 download PDF

The SEC's Office of Compliance Inspections and Examinations ("OCIE") recently published[1] additional information on the areas of focus for OCIE's second round of cybersecurity examinations of registered investment advisers and registered broker-dealers. SEC examiners will gather information on cybersecurity-related controls and procedures and will also test to assess implementation of certain firm controls and procedures, focusing on the following areas:

  • Governance and Risk Assessment - generally, policies and procedures related to the protection of client records/information and patch management practices (i.e., the development of a systematic and controlled process to update or "patch" vulnerabilities in existing software systems and applications); cybersecurity risk assessment processes; cybersecurity incident response planning.
  • Access Rights and Controls - generally, policies and procedures designed to prevent unauthorized access to firm network resources and devices; restrictions on access to certain systems and data via management of user credential, authentication and authorization methods.
  • Data Loss Prevention - generally, policies and procedures related to enterprise data loss prevention, data classification, monitoring the transfer of sensitive information outside of the firm (whether authorized or unauthorized).
  • Vendor Management - generally, policies and procedures related to the use of third-party vendors; due diligence with regard to vendor selection, monitoring, oversight, contract terms and contingency plans.
  • Training - training provided to employees and third-party vendors regarding information security and risks.
  • Incident Response - generally, policies and procedures addressing mitigation of the effects of a cybersecurity attack; testing of an incident response plan; records of any cyber incidents.


OCIE included in the risk alert a sample request for information and documents that examiners will be using as part of the Cybersecurity Examination Initiative.


[1] National Exam Program Risk Alert "OCIE's 2015 Cybersecurity Examination Initiative" (Sept. 15, 2015), see http://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf

© 2019 Paul, Weiss, Rifkind, Wharton & Garrison LLP

Privacy Policy