As registered investment companies (“funds”) and registered investment advisers increasingly rely on information technology, the US Securities and Exchange Commission (SEC) continues to focus its attention on cybersecurity issues. Following the SEC’s Office of Compliance Inspections and Examinations (OCIE) summary of cybersecurity “sweep” exams issued in February,1 the SEC’s Division of Investment Management (Division) recently issued a cybersecurity guidance update (Guidance) for funds and advisers.2 The Guidance emphasizes the importance of mitigating cybersecurity risks and suggests a number of preventative measures that funds and advisers should consider implementing.
The Guidance provides a broad three-step approach for funds and advisers to consider when analyzing cybersecurity risks and potential preventative measures to adopt.
- First – Conduct a Periodic Assessment of Cybersecurity Risks. This assessment is intended to assist in prioritizing and mitigating risks by identifying the potential cybersecurity threats and vulnerabilities of a fund or an adviser. Funds and advisers should consider the sensitivity and nature of the information they collect and process and where such information is stored. They need to identify both internal and external cybersecurity threats and vulnerabilities to the information, as well as to any technology systems currently in use. Funds and advisers should also assess their current security controls and processes and the effectiveness of their governance structure that manages cybersecurity risks. Lastly, they need to evaluate the impact of a compromise on any information or technology system.
- Second – Create a Strategy to Prevent, Detect and Respond to Cybersecurity Threats. The strategy should include various procedures to control access to systems and data, such as managing user credentials, authentication and authorization methods, firewalls, perimeter defenses, tiered access to sensitive information and network resources, network segregation and system hardening. A fund or adviser could also implement data encryption, as well as data backup and retrieval measures. The strategy should address minimizing the use of removable storage media and utilizing software that monitors for any unauthorized intrusions, loss or exfiltration of sensitive data and any other unusual event. Funds and advisers should also develop an incident response plan and routinely test the effectiveness of their strategy.
- Third – Implement the Strategy. Funds and advisers need to implement their strategies through written policies and procedures and by monitoring compliance with them. They should also provide training and guidance to their officers and employees on how to identify, prevent and respond to any threats. Funds and advisers can also inform their investors and clients of how to minimize the risk of their accounts being exposed to cybersecurity threats.
These suggested measures are not intended to be comprehensive. Rather, funds and advisers need to assess their particular operations and customize an approach that best fits their needs. For example, funds and advisers that share common networks with their affiliated entities should consider whether it is appropriate to conduct an assessment of the entire corporate network. The Guidance also encourages funds and advisers to monitor ongoing and new cyber threats by gathering information from outside resources, such as vendors, third-party contractors specializing in cybersecurity and technical standards, publications and conferences, as well as participating in the Financial Services—Information Sharing and Analysis Center (FS-ISAC).3 Each fund or adviser should determine whether these or other measures need to be considered when tailoring their compliance programs based on the nature and scope of their particular business.
The Guidance also notes that, in the Division’s view, funds and advisers should also take their obligations to comply with federal securities laws into account when addressing cybersecurity risks and establish policies and procedures reasonably designed to prevent violations of federal securities laws in the event of a cyber- attack. The Guidance specifically suggests supplementing existing compliance programs to assess and mitigate cybersecurity risk as it relates to identity theft, data protection, fraud and business continuity, in addition to other disruptions in service that could affect, for example, an adviser’s ability to process capital calls or distributions for its private funds under management. The Guidance highlights how fraudulent activity can result from internal breaches, by fund or advisory personnel, and funds and advisers should therefore consider taking appropriate internal precautions concerning information security as well. The Guidance also notes that funds and advisers are especially vulnerable to cyber-attacks due to their reliance on third-party vendors to conduct their daily operations. Accordingly, funds and advisers should review their own operations and compliance programs, as well as those of their service providers, to assess whether they have appropriate measures in place designed to mitigate exposure to cybersecurity risk.