Let's discuss the internal vulnerability scan — the process regulators expect firms to use to identify cybersecurity risks in systems that handle client data.

Under SEC expectations for investment advisers…