On April 28, 2015, the SEC’s Division of Investment Management, with input from the Office of Compliance Inspections and Examinations (“OCIE”), issued new guidance on cybersecurity (the “Cybersecurity Guidance”) for registered investment advisers (“advisers”) and registered investment companies (“funds”).1 The Cybersecurity Guidance provides a roadmap for advisers and funds to evaluate their ability to prevent, detect, and respond to cybersecurity threats.
This new guidance highlights the SEC’s continuing focus on cybersecurity over the past few years. In October 2011, the SEC’s Division of Corporation Finance issued Disclosure Guidance on cybersecurity, which provided the agency’s views regarding material information disclosure related to cybersecurity incidents.2 In March 2014, the SEC held its first Cybersecurity Roundtable to address the growing “cybersecurity threat” facing public companies and the financial services sector.3 On the heels of the Cybersecurity Roundtable, OCIE issued a Risk Alert4 to provide information on its initiative to assess cybersecurity preparedness of broker-dealers and investment advisers. In February of this year, OCIE released a summary of its findings after it performed sweep exams of more than 50 broker-dealers and advisers.5 Most recently, OCIE has given indications that a second phase of its sweep exam may begin as early as 2015 and will include on-site exams. These SEC actions all emphasize the ever-increasing importance of board oversight and senior management involvement in cybersecurity risk management.
By way of this Cybersecurity Guidance, the SEC staff now offers recommendations and best practices for advisers and funds to address cybersecurity threats. The staff recommends that advisers and funds
1) Condct periodic assements of:
- the nature, sensitivity, and location of information that the firm collects, processes, and/or stores, and the firm’s technology systems;
- internal and external cybersecurity threats to and vulnerabilities of information and technology systems;
- security controls and processes;
- the impact on a technology system should it become compromised; and
- the effectiveness of the firm’s governance structure to manage cybersecurity risk.
2) Create a compliance strategy that is designed to prevent, detect, and respond to cybersecurity threats. Such a compliance strategy may include:
- controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information, and network resources, network segregation, and system hardening;
- data encryption;
- protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events;
- data backup and retrieval; and
- establishing an incident response plan.6
3) Implement written policies and procedures and provide training to provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures. Advisers and funds may also wish to educate their investors and clients about how to reduce exposure to cybersecurity threats concerning their own accounts.
The SEC staff emphasized that an effective cybersecurity assessment will assist firms in identifying potential cybersecurity risks and vulnerabilities so as to mitigate and rapidly respond to cybersecurity threats. Firms should use the results of their assessment to identify their respective compliance obligations and implement a compliance strategy to prevent, detect, and respond to cybersecurity threats. Firms should also tailor their cybersecurity compliance strategy to their size and complexity, the nature and scope of their activities, and the sensitivity of the information that they maintain. In addition, firms may consider the role of service providers in carrying out their operations and determine whether they should assess their service providers’ own cybersecurity measures. Once a cybersecurity compliance strategy has been implemented, firms should periodically test their strategy with advice gathered from third-party vendors specializing in cybersecurity to enhance the effectiveness of their compliance strategy.
In putting this Cybersecurity Guidance into practice, we recommend establishing a cross-functional internal response team and engaging with your board of directors in the discussion and management of cybersecurity risks. Your team should lead internal discussions regarding the application and implementation of these best practices compared to your current practices, and benchmark against other firms. From this gap analysis, this team will be equipped to make recommendations to create an appropriately tailored cybersecurity strategy that allows you to prevent, detect, and respond to cybersecurity threats. As part of a firm’s risk assessment and creation of a cybersecurity strategy, it may be helpful to participate in breach simulations to test the effectiveness of your cybersecurity strategy.