Emphasizing the critical importance of cybersecurity to registered investment companies (RICs), including insurance separate accounts and business development companies, and to investment advisers, the SEC’s Division of Investment Management issued new Cybersecurity Guidance on April 28, 2015 (Guidance).1 As RICs and advisers become ever more dependent on information technology to conduct their business and as cyber threats increase in intensity and destructive potential, the Division urges RICs and advisers to review their cybersecurity strategy and improve their rapid response capability by employing the familiar paradigm of risk assessments, action plans, written compliance policies and procedures, and oversight of service providers, with a view to mitigating harm to investors and preventing violations of the federal securities laws.
The Division’s recommendations draw upon the recent discussions on cybersecurity that the Division has held with fund boards and with senior management at investment advisers, as well as the SEC’s Cybersecurity Roundtable in 2014 and the subsequent Risk Alerts and cyber readiness reviews conducted by the SEC’s Office of Compliance Inspections and Examinations. [Legal Alert: SEC Releases Results of 2014 Cybersecurity Exam Sweep, Feb. 4, 2015.]
In the view of the Division staff, RICs and advisers should identify their obligations under the federal securities laws and take these obligations into account when assessing their ability to prevent, detect and respond to cyber attacks. Citing to the adopting release for the compliance rules, Rule 38a-1 under the Investment Company Act of 1940 (1940 Act) and Rule 206-4(7) under the Investment Advisers Act of 1940, the Guidance notes that RICs and advisers could mitigate the compliance risks associated with cyber threats by addressing the following in their compliance program, as applicable:2
- Identity theft and data protection. Referring to Regulation S-P, Regulation S-ID and related guidance, the Guidance notes that protection of commercial or market-sensitive information, as well as customer data, from malicious cyber intrusion may be necessary to protect customers’ interests.
- Fraud. Explaining that cyber or data breaches by insiders, such as fund or advisory personnel, can give rise to fraudulent activities, the Guidance suggests that funds and advisers take appropriate precautions under their Codes of Ethics concerning information security and employee behavior.
- Business continuity. The Guidance notes that an adviser’s fiduciary duty to its clients includes the obligation not to put clients at risk of the adviser’s inability to provide advisory services, citing to Rule 206(4)-7.
- Disruptions in service that could affect a RIC’s ability to process transactions. The Guidance reminds RICs that they may be in violation of section 22(e) and Rule 22c-1 under the 1940 Act if a cyber attack prevents a RIC from processing and redeeming shares as required. Cyber attacks could also prevent RICs and advisers from investing and managing assets in a manner consistent with the prospectus and other representations and contractual provisions.
- Management and oversight of service providers. The Guidance comments that because RICs and advisers rely on service providers to carry out their operations, they should assess whether protective cybersecurity measures are in place at their service providers. The Division staff suggests that RICs and advisers review their contracts with service providers to determine whether they sufficiently address technology issues and responsibilities for cyber attacks. The staff also suggests assessing whether any insurance coverage related to cybersecurity risk is necessary or appropriate.
RICs and advisers are advised to review their operations and compliance programs and assess whether they have measures in place designed to mitigate their exposure to cybersecurity risk.
The Division staff also suggests that RICs and advisers consider taking the following steps to address cybersecurity risks, as applicable:
- Conduct periodic cybersecurity risk assessments. Such risk assessments could address:Similar to other federal and state regulators, the Division staff suggests that RICs and advisers consult the NIST Framework4 when considering a strategy for mitigating exposure to cyber attacks.
- Where sensitive information is located, processed and stored and the capabilities of the technology systems used in those processes;
- Internal and external threats to, and vulnerabilities of, sensitive information and technology systems;
- Physical and technical security controls and processes in place;
- The impact if the information and technology systems are compromised; and
- The effectiveness of the governance structure for managing cybersecurity risks.3
- Create a strategy designed to prevent, detect and respond to cybersecurity threats. Such a strategy could include:
- Technical controls, such as access controls, dual authentication, firewalls, tiered access to sensitive information, network segregation and other measures;
- Data encryption;
- Restricting the use of removable storage media and using software that monitors technology systems for unusual activity, unauthorized incursions and exfiltration of sensitive data;5
- Data backup and retrieval processes; and
- Development of an incident response plan and routine testing of the effectiveness of the strategy.
- Implement the strategy through written policies and procedures and training. Officers and employees should be trained regarding the applicable threats and measures to prevent, detect and respond to such threats. RICs and advisers may also consider education of their investors and service providers to reduce their exposure to cybersecurity threats.
The Division believes that RICs and advisers will be better prepared to mitigate the impact of any cyber attacks if they adopt these measures when planning to address their cybersecurity risks and rapid response capability. While the Division recognizes that it is not possible to anticipate and prevent every cyber attack, the Division believes that appropriate planning and readiness will mitigate the effects of a cyber attack on investors and clients and assist RICs and advisers to comply with the federal securities laws. The Division will continue to focus on cybersecurity and monitor events in this area.