Welcome to Our Website

SEC’s Formal Risk Alert and DDQ Questions to Ask Yourself


It’s easy to adopt a mindset if “nothing is broken, why fix it” when it comes to operations, but this approach keeps your company complacent and open to risk. As more and more of investment operations become dependent on technology, the rate of change for operations grows exponentially faster. Technology is not the only aspect that’s ever-evolving, but how people use it.

Simply implementing new measure and testing new systems is just one part of improving the IT infrastructure. Making sure that the systems are resistant to cybersecurity threats is potentially even more important. Cybersecurity threats are getting ever more potent as hackers are finding new and creative ways to gain access, such as an incident in 2008 when an entity stole data from a casino by hacking into a fish tank thermometer connected to Wi-Fi.

It is almost impossible to gauge how resistant your firm is to cyber attacks with just high-level knowledge. The recommended way to monitor your firm’s financial safety is with a due diligence questionnaire (DDQ). A comprehensive DDQ should cover a huge range of topics and dive deep enough to have a nitty-gritty understanding of what kind of data is dealt with and the security of each piece.

On April 16th 2019, the SEC’s Office of Compliance Inspections and Examinations (OCIE) launched a formal Risk Alert that documented common deficiencies in firms handling sensitive customer data. The defects range from mishandling and distribution of customer information to common system vulnerabilities.

At Agio, we pride ourselves in the cutting-edge IT and digital security services that we provide. In response to the OCIE’s risk alert, we updated our comprehensive SEC cybersecurity mock audit service to capture real life scenarios a firm faces when audited. We’ve included a few questions that we ask during our mock audit process

Technology Vendor

  • When did the firm last perform thorough due diligence on its current IT vendors?

Data Management

  • Is sensitive customer data being sent to personal devices?
  • Does the firm have a formal and documented policy for accessing data?
  • Does the firm’s IT staff or technology partner have complete access to sensitive company information? Should they see everything?
  • What is the protocol for when customer information is suspected to be lost?
  • What third-party platforms are used to aggregate data? And how is the data being stored?

Network Security Policy

  • Does the firm have an intrusion detection system (IDS) to prevent unauthorized access?
  • How are employee emails protected against spam or phishing attempts?
  • Is there a solution in place to ensure devices are secure in the event of loss or theft?

Disaster Recovery

  • Is there a formal and well-documented business continuity plan?
  • Are there dedicated sites or locations to preserve data and back up data?
  • Has the disaster recovery plan been tested?