Reasoning that the variety of entities that it regulates precludes the SEC from dictating a single workable cybersecurity solution, the agency generally takes a principles-based approach to cybersecurity regulation. This leaves registrants to wonder if their procedures and safeguards will withstand scrutiny during an SEC examination. This was addressed during the recent IAPP Global Privacy Summit at a presentation featuring Stephanie Avakian, Acting Director of the SEC Division of Enforcement, Shamoil Shipchandler, SEC Regional Director for the Fort Worth Regional Office, and Jay Johnson, partner at Jones Day. This second article in our two-part series discusses the SEC’s cybersecurity examination process and provides guidance on disclosing cyber incidents. The first article highlighted the agency’s cybersecurity-related enforcement actions and coordination with law enforcement and state regulators. For more on managing cyber risks, see “Cyber Insurance Coverage, Pre-Breach Mitigation Efforts and Post-Breach Response Plans Can Reduce Harm to Fund Managers From Cyber Attacks” (Jan. 19, 2017); and “Growing SEC Enforcement of Hedge Fund Managers Requires Greater Focus on Cybersecurity and Financial Disclosure” (Jul. 7, 2016).