The SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert notifying firms it will conduct IT security examinations of more than 50 registered broker-dealers and registered investment advisers.

Commission’s jurisdiction in cyber security is focused on the integrity of market systems, customer data protection, and disclosure of material information.

Prior to this the SEC required Risk Factors to be examined, but did not issue an alert.

Division of Corporation Finance
Securities and Exchange Commission

CF Disclosure Guidance: Topic No. 2

Cyber Security

Date: October 13, 2011


“Consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, cyber Security risk disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the registrant.

Discussion of aspects of the registrant’s business or operations that give rise to material cyber Security risks and the potential costs and consequences;

  • To the extent the registrant outsources functions that have material cyber Security risks, description of those functions and how the registrant addresses those risks;
  • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
  • Risks related to cyber incidents that may remain undetected for an extended period; and
  • Description of relevant insurance coverage.”