ThreatWire

The SEC Cybersecurity Compliance Documentation Request List

This is a community paste of different cybersecurity and IT related questions we have seen the SEC, FINRA, and SSBs send firms before showing up for an onsite interview or examination

We have found the best way to prepare for a SEC cybersecurity audit is to study and prepare for the requests that will be coming your way.

We hope this document helps

Good Luck.

For each of the following practices employed by the Firm for management of information security assets, please provide the month and year in which the noted action was last taken; the frequency with which such practices are conducted; the group with responsibility for conducting the practice; and, if not conducted firm wide, the areas that are included within the practice. Please also provide a copy of any relevant policies and procedures.

• Physical devices and systems within the Firm are inventoried and assessed for risks.

• Software platforms and applications within the Firm are inventoried and audited.

• Maps of network resources, connections, and data flows (including locations where customer data is housed) are created or updated.

Continue reading “The SEC Cybersecurity Compliance Documentation Request List”

An overview of SEC Cybersecurity Regulation and Compliance Documentation Requirements

The SEC has been increasingly focused on cybersecurity in recent years, with multiple rounds of subpoenas, investigations, and examinations.

In this video, we provide an overview of the SEC’s cybersecurity regulation and compliance documentation requirements as it relates to RIAs, Hedge Funds, Family Offices, and Broker-Dealers.

12 Solid Cybersecurity Steps for All SEC Registered Firms

Step 1: Install and maintain a firewall to protect data.


Step 2: Change default (vendor supplied) passwords on all firm devices and systems.


Step 3: Encrypt all hard drives.


Step 4: Encrypt transmission (internal or external) of client data.


Step 5: Use AntiVirus and Malware detection software on all devices. Use VPN services for all mobile devices.


Step 6: Use only systems that allow for 2-factor authentication (Yubiko key, Google Authenticator, etc).


Step 7: Restrict access to data only to those who need it to function in their jobs.


Step 8: Assign unique usernames to all employees who accesses your client’s data. No sharing of passwords.


Step 9: Restrict physical access to the data. Lock your office, enable mobile wipe, etc.


Step 10: Monitor and log all access to data and network resources.


Step 11: Perform Vulnerability scans on systems quarterly.


Step 12: Documentation is EVERYTHING!

21 Steps to Secure your RIA’s Wifi Router.

1. Change the default password and user id – new one should be at least 16 characters long.

2. Turn off WPS

3. Turn off UPnP

4. Turn off NAT-PMP

5. Wi-Fi encryption should be WPA2 with AES.

6. Wi-Fi passwords should be strong and secure

7. Don’t use an SSID that identifies you.

8. Use a password protected Guest Network. Use it for guests and IoT devices.

9. Turn Off Remote Administration

10. Test for open ports.

11. Turn off Port forwarding…if you can

12. Check for new firmware monthly.

13. Get rid of the ISP provided equipment. It is vulnerable.

14. Change the DNS servers that your router gives out to attached devices. ISP assigned DNS servers are usually the default, and worst, option. Use DNS servers are 9.9.9.9 (from Quad 9, backed up by 149.112.112.112) and 1.1.1.1 (from Cloudflare backed up by 1.0.0.1).

15. Change the LAN side IP address of the router.

16. For routers with a web interface, lock down access to the router from the LAN side with 2fa.

17. Turn off Ping reply.

18. Turn off the wireless networks when not in use.

19. Block the ports used by Windows file sharing.

20. Block network printers from making any outbound connections.

21. If the router can send emails to you when certain error or security concern occur, use it.