SEC Cyber Rule Preparation Checklist

Get the checklist

Download the SEC Cyber Rule Preparation Checklist for a high-level guide to help you prepare for the SEC cyber rule. The final ruling is scheduled for April 2024.

Fill out the form below to get the PDF.

For a personalized session to review the SEC Cyber Rule Preparation Checklist with your firm, click the button below to contact us.

We’ll reach out to schedule a free 30-minute review.

Contact Us

What’s Included

Policies and procedures, staff awareness training, internal controls, governance, reporting, and the protections around personally identifiable information are expected to be included in the final SEC Cyber Rule.   

The SEC Cyber Rule Preparation Checklist covers what is outlined in the proposed SEC Cyber Rule, including:

Emphasis on the importance of maintaining an inventory of cybersecurity risks faced by investment advisers, registered investment companies, and business development companies. It requires firms to identify and assess potential cybersecurity risks that could compromise the confidentiality, integrity, or availability of their information systems.

Highlights the significance of managing vendor-related cybersecurity risks. It requires investment advisers, registered investment companies, and business development companies to establish and implement written policies and procedures for assessing and managing the cybersecurity risks associated with their vendors and service providers.

Emphasizes the role of governance in cybersecurity risk management. It requires firms to adopt and implement written policies and procedures that address the identification and assessment of cybersecurity risks, the protection of information systems, the detection and response to cybersecurity incidents, and the recovery from such incidents.

Requires investment advisers, registered investment companies, and business development companies to report certain cybersecurity incidents to the SEC. It specifies the types of incidents that should be reported, the timeframe for reporting, and the information that should be included in the reports.

Reiterates the importance of operational resilience in the face of cybersecurity risks. It requires firms to establish and implement written policies and procedures for maintaining the operational resilience of their information systems, including the ability to continue critical operations during and after a cybersecurity incident.