On September 15, 2015, the SEC's Office of Compliance Investigations and Examinations (OCIE) issued a risk alert regarding its 2015 Cybersecurity Initiative. The SEC first announced that it would focus on cybersecurity examinations in 2014. In February 2015, OCIE published its Cybersecurity Examinations Sweep Summary, which included findings from its initial round of examinations and addressed some of the legal, regulatory and compliance issues around cybersecurity. The risk alert announces a second round of cybersecurity examinations in furtherance of the cybersecurity initiative and provides information regarding the risk areas on which examinations will focus.

The second round of examinations will focus on key risk controls designed to assess the cybersecurity preparedness of broker/dealers and advisors, including their ability to protect customer information. Specifically, the examinations will focus on:

The focus areas are not exclusive, and examiners may include different risk areas for examination based on the risks they identify during the course of their investigations.

To promote compliance and alert regulated entities of where OCIE perceives there to be cybersecurity risk, the risk alert includes a list of sample documents and information that examiners may request in each focus area as part of an examination. Some of the requests track information outlined in the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity. For more information on the framework, see Practice Note, The NIST Cybersecurity Framework.