What a Cyber Risk Vulnerability Threat Assessment Actually Involves

The written risk and threat assessment is, in my experience, the single most-requested document in an SEC cybersecurity examination. Rule 206(4)-7 requires advisers to identify risks and review the adequacy of their controls. Regulation S-P requires written safeguards reasonably designed to protect customer information. Neither obligation can be satisfied by a policy that asserts the firm is secure. Both require evidence that the firm looked, found what was actually there, and acted on it.

The rest of this article is free to read with a BrainTrust membership — joining takes about a minute, and no credit card is required.

Join the BrainTrust   Already a member? Sign in