To comply with this intensifying set of requirements, financial organizations with affiliate or domiciled firms in the US must be prepared to present documentation, policies and procedures, and tangible evidence related to cybersecurity matters.

Since issuing its examination risk alert in 2015, the Securities and Exchange Commission (SEC) has expanded the focus and depth of its cybersecurity requirements, leaving firms wondering if they have the right mechanisms in place.

This checklist is an interpretation of the appendices from the OCIE September 2015 Cybersecurity Risk Alert, formatted as questions within six categories.

  • Governance and Risk Assessment
  • Access Rights and Controls
  • Data Loss Prevention
  • Vendor Management
  • Training
  • Incident Response