Shortly after the Target breach in late 2013, the SEC began a cybersecurity "sweep" across a selection of 50 registered investment advisors (RIAs). The intent being to obtain some perspective regarding their information security rigor. In mid-April 2014, they released the "28 Questions" document, publicly showing the audit questions that were asked during the document request process, which quickly became a quasi-standard used by buy-side firms to gauge their preparedness. As well, due diligence teams of institutional investors began to incorporate these questions into their annual reviews.
The OCIE-SEC did not rest on their laurels. Over the next three years, they released additional risk alerts focused on cybersecurity issues and concerns. In late 2015, they released a particularly important risk alert emphasizing the following areas of focus: