5. Get it in writing
Firms must be prepared to show written documents such as memos, time-stamped reports and Excel spreadsheets that can that prove a firm is doing what it claims to be doing, Mr. Stanley said.
“As far as the SEC is concerned, if it wasn’t written down, it never happened,” he said. “You want to create a written trail that you can hand over to the SEC during an exam to prove how seriously you take cybersecurity.”