The U.S. Securities and Exchange Commission’s (“SEC”) Division of Investment Management (“Division”) recently released a Guidance Update (“Guidance”) highlighting the importance of cybersecurity for registered investment companies (“funds”) and registered investment advisers (“advisers”). In the Guidance, the Division identified a number of measures for funds and advisers to consider in addressing cybersecurity risk and rapid response capability.
Conducting Periodic Assessments
The assessment would assist in identifying potential cybersecurity threats and vulnerabilities to facilitate prioritization and mitigation of risk. It should focus on:
- the nature, sensitivity, and location of information;
- internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
- security controls and processes currently in place;
- the impact of any compromise to the information or technology systems; and
- the effectiveness of the governance structure for the management of cybersecurity risk
Creating a Strategy Designed to Prevent, Detect, and Respond to Cybersecurity Threats
The strategy, which should be tested routinely to enhance its effectiveness, could include:
- controlling access to various systems and data through management of user credentials, authentication and authorization methods, tiered access, network segregation, firewalls and/or perimeter defenses;
- utilizing data encryption;
- protecting against the loss or exfiltration of sensitive data by restricting use of removable storage media and deploying monitoring software;
- using data backup and retrieval; and
- developing an incident response plan.
Implementing the Strategy
The strategy could be executed through:
- developing and circulating written policies and procedures;
- training regarding applicable threats and measures to prevent, detect, and respond to such threats;
- monitoring of compliance with cybersecurity policies and procedures; and
- educating clients and investors on how to reduce exposure to cybersecurity threats concerning their accounts.
In identifying these measures, the Division recognized that the relevance and usefulness of certain measures depend on the funds’ and advisers’ particular circumstances, including the nature and scope of the business, and that it is not possible to anticipate and prevent every cyber attack. In addition, funds and advisors who rely upon service providers in carrying out their operations should consider assessing whether the service providers have protective cybersecurity measures in place.
Given the SEC’s continued focus on cybersecurity issues and the likelihood of more inspections focused on cybersecurity, funds and advisers should review their cybersecurity programs and consider implementing some of the recommendations the Guidance offers. Funds and advisers need to identify and account for their respective compliance obligations under the federal securities laws and mitigate exposure to cyber-related compliance risks through compliance policies and procedures that are reasonably designed to prevent violations of the federal securities laws. As the Guidance reminds us, appropriate planning may assist in mitigating the impact of a cyber attack and complying with the federal securities laws.
The full text of the SEC Division’s Guidance document is available on the SEC’s website.