Let’s talk about the internal vulnerability scan — the process regulators expect firms to use to identify cybersecurity risks in systems that handle client data.
Under SEC expectations for investment advisers, firms are required to maintain written cybersecurity policies and procedures and implement safeguards to protect client information (Reg S-P Safeguards Rule). Advisers must also conduct periodic reviews of the adequacy and effectiveness of their policies (Advisers Act Rule 206(4)-7). In practice, that means firms must be able to demonstrate they are identifying vulnerabilities, assessing risk, and taking corrective action — not just running antivirus and hoping for the best.
The rest of this article is free to read with a BrainTrust membership — joining takes about a minute, and no credit card is required.