Securities and Exchange Commission Cybersecurity Regulation Compliance

The SEC does not publicly provide any checklist that has to be completed to pass an audit. The best current guidance seems to be found here (opens in a new tab).

Pulled from that document are the following areas of interest:

Keep Records

Regularly self-audit and log when the following steps are conducted:

Inventory Firm physical devices and systems
Inventory Firm software/applications
Map network devices, connections, and where customer data is housed, created, and updated.
Log connections to the Firm's network from external sources
Priortize hardware and software protection based on sensitivity and business value
Logging capabilities should be adequate, have long-term retention, and secure maintenance

Give SEC Security Policy

Providing the SEC with the Firm's written information is crucial to retain compliance.

Provide completion dates for cybersecurity parameters
Provide written information security policy documents

Indicate Periodic Assessments

The SEC requires the Firm to conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities, and potential business consequences.

Who (business group/title) conducts them, and when was the most recent assessment completed
Describe any findings from the most recent risk assessment that were deemed to be moderate or high risk and have not been fully remediated

Employee Roles

Provide written documentation of employee's cybersecurity roles, responsibilities, and a brief description.

Mitigation Plans

Operation continuity plans
Plans for mitigating risks
Plans for recovery if an incident occurs

Who's the CISO

Does the Firm have a Chief Information Security Officer or an equivalent position?
Idenity who that person is, their title, and their responsibilites.
If not, where does the responsibility for overseeing cybersecurity reside within the Firm?

Insurance Policy

Does the Firm have an insurance policy that covers losses attributed to cybersecurity incidents?
If so, briefly describe what the insurance policy covers
Indicate whether the Firm has filed any claims, and the resolution of the claims
Attach a copy of the insurance policy

Compliance Standards

Identify any cybersecurity risk management standards that the Firm follows such as those issued by National Institute Standards and Technology (NIST) or the International Organization for Standards (ISO).
The Firm has to model its information security architecture and processes
Attach a copy of the NIST/ISO standards followed

Protection Practices

Incicate which of the following practices are utilized by the Firm:

The Firm provides written guidance and perodic training to employees concerning information security risks and responsibilities. Provide a copy of the training (e.g. presentations) and identify the dates, topics, and which groups of employees participated in each training events.
The Firm maintains controls to prevent unauthorized escalation of user privileges and lateral movement amoung network resources. Please describe the controls used.
The Firm restricts users to those network resources necessary for their business functions. Please describe the policies and procedures.
The Firm maintains an environment for testing and development of software applications that is seperate from the business environment.
The Firm maintains the baseline configuration of hardware and software and the users are prevented from altering the environment without authorization and an assessment of security implications.
The Firm has a process to manage IT assets through removal, transfers, and disposition.
The Firm has a process for ensuring regular system maintenance, including timely installation of software patches that address security vulnerabilities.
The Firm's infomation security policy and training addresses removable media like thumbdrives. Describe these controls.
The Firm maintains controls to secure removable and portable media against malware and data leakage. Describe these controls.
The Firm maintains protection against Distributed Denial of Service (DDoS) attacks for critical internet-facing IP addresses. Describe the functions and who provides this protection.
The Firm maintains a written data destruction policy
The Firm maintains a written cybersecurity incident response policy. Provide this and the date it was modified
Provide a copy of the Firm's conduct tests and exercises to assess its recent response policy. When was it conducted and who was it conducted by?
The Firm periodically tests the function ality of its backup system. Provide the date that the backups were last tested.

Encryption

Indicate whether the Firm uses encryption.
Under what circumstances are categories of data, communication, and devices encrypted?

Compliance Audits

Does the Firm conduct frequet security policy audits?
What year was the most recent audit and who conducted the audit?

Online Account Access

Does the Firm provide customers with online account access?
Name any third-parties that manage the service
Functonality for your customers on the platform (e.g. balance inquiries, address and contact information changes, beneficiary changes, transfers among the customer's accounts, withdrawals or other external transfers of funds)
How are customers authenticated for the online account access and transactions?
Does the Firm use any fraud software or practice for detecting anomalous transaction requests that may result in compromised customer account access?
A description of security measures used to protect customer PINs stored on the sites.
Any information given to customers about reducing cybersecurity risks in conducting business with the Firm.

Email Verification

Provide a copy of the Firm's procedures for verifying authenticity of email requests seeking to transfer customer funds.
Please describe the process of verifying customer identites?

Addressing Attack Losses

Attach the Firm's policy for addressing responsibility for losses associated with attacks or intrusions impacting customers.
Does the firm offer its customers a security guaretee to protect them against hacking of their accounts?
Provide the SEC with a copy of the guarantee if a security guarentee exists.

Vendors and Business Partners

Third-Party Risks

Does Firm requires cybersecurity risk assessments of vendors and business partners's access to the Firm's network, customer data, or other sensitive informaton?
Describe name who at the Firm conducts these risk assessments and any standards established for these assessments.
Provide a copy of the questionnaire used.

Vendors Know Requirements

Does the Firm incorporate requirements relating to cybersecurity risk into its contracts with vendors and business partners?
Describe what requirements and circumstances are incorporated in these contracts.

Training Materials

For all vendors and business partners with access to the network, provide a copy of all information security procedures and responsibilities training.

Network Segregation From Vendors

Does the Firm use segregation of sensitive network resources accessible to third-parties?
Which business group or title assesses the network segregation?
Provide the SEC with a copy of any relivant policies or procedures.

Approval and Logging

Describe the approval process for third-parties who conduct remote maintenance.
Who conducts remote maintenance on the Firm's network and devices?
Describe any logging process, or controls to prevent unauthorized access, and provide a copy of all relevant policies and procedures.