On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued its third National Exam Program Risk Alert of the 2017 calendar year, detailing OCIE’s findings and
Continue Reading August 2017 Cybersecurity & Risk Alert from SEC
OCIE Risk Alert
OCIE Issues Risk Alert on Use of Outsourced Chief Compliance Officers
By Richard M. Cutshall on
Earlier this week, the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (SEC) issued a new Risk Alert (available here) related to the use of outsourced chief compliance officers (CCOs) by SEC-registered investment advisers and investment companies (Registrants). The Risk Alert shares staff observations of Registrants who outsource their CCO functions to unaffiliated third-parties resulting from nearly 20 examinations under OCIE’s Outsourced CCO Initiative. The Risk Alert identified a number of key concepts that should be considered by Registrants.
First, Registrants with outsourced CCOs should review their business practices in light of the risks highlighted by the staff and the Registrant’s responsibilities under applicable compliance rules. The Risk Alert emphasizes that Registrants not only must assure that outside CCOs have the requisite knowledge and experience to carry out the responsibilities of a CCO, they should also have the authority and access to the organization needed to accomplish their duties.
Continue Reading OCIE Issues Risk Alert on Use of Outsourced Chief Compliance Officers
OCIE Issues New Cybersecurity Risk
By Richard M. Cutshall on
Posted in Cybersecurity, SEC
Two weeks ago, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued its newest guidance on the subject of cybersecurity in the form of a new National Exam Program (NEP) Risk Alert, issued Sept. 15. In addition to the matters discussed below, the Risk Alert contains links to several earlier Commission and OCIE materials, including to the March 2014 SEC Cybersecurity roundtable, past NEP cybersecurity-related releases, and the 2015 SEC examination priorities.
With the purpose of “[providing] additional information on the areas of focus for OCIE’s second round of cybersecurity examinations” and in addition to informing industry participants that testing and assessing the implementation of cybersecurity procedures and controls will characterize the next phase of exams, the Risk Alert identifies six key areas of focus for OCIE: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response. The Risk Alert also provides a sample document request, which regulated entities may use in assessing their cybersecurity programs.Continue Reading OCIE Issues New Cybersecurity Risk