The SEC’s Division of Investment Management recently released cybersecurity guidance highlighting best practices and warning that cybersecurity breaches and deficiencies in cybersecurity programs could cause funds and advisers to run afoul of securities laws. Importantly, the guidance places significant obligations on compliance officers to ensure that funds have adopted adequate cybersecurity policies and procedures.
The guidance recommends that funds and advisers conduct periodic cybersecurity assessments; create a strategy to prevent, identify, and respond to cyber threats; and implement the strategy through policies, procedures, and training that help to guide officers and employees and monitor compliance. According to the guidance, periodic assessments should include attention to internal and external vulnerabilities as well as the likely effects of a breach so that funds and advisers can better assess and mitigate risk. With respect to cybersecurity strategies, funds and advisers should consider exerting tighter control over data access, ramping up encryption, limiting the use of removable storage media to prevent data theft, monitoring system access, backing up data, developing an incident response plan, and implementing routine testing.
The guidance further reminds funds and advisers that their compliance policies must be reasonably designed to prevent violations of securities laws and goes on to list, by way of footnote, multiple ways in which cybersecurity problems could result in securities law violations. The guidance notes various data protection requirements applicable to certain funds and advisers and warns that cybersecurity breaches by firm insiders could constitute fraud. In the past, the SEC has observed that an adviser has a fiduciary obligation to protect clients’ interests even where circumstances, such as a natural disaster, render it unable to provide advisory services. The guidance cautions that a cybersecurity breach could put an adviser in a similar position and cause a breach of fiduciary duty. Finally, the guidance notes that a cybersecurity attack that renders a fund unable to process and redeem shares could cause a violation of section 22(e) under the Investment Company Act of 1940, which generally prohibits funds from suspending redemptions or postponing redemption payments for more than seven days after the redemption request.
Other recommendations provided include educating investors about how to better protect their accounts and reviewing service providers’ cybersecurity systems. In that regard, the SEC recommends that funds review their service provider contracts for cybersecurity protections and the availability of insurance coverage for cybersecurity problems. Of note, cybersecurity insurance coverage for damage by a service provider to third parties, such as funds, is not believed to be widely available.
As noted above, the guidance is significant because of the onus it places on compliance. That said, we believe compliance officers would, out of necessity, have to rely on information technology professionals provide in making their assessments and in drafting policies and procedures that comply with federal securities laws. In addition, the guidance refers funds to the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, found here, and the Office of Compliance Inspections and Examinations (OCIE) 2014 sample list of requests for cybersecurity information in developing risk mitigation strategies, found here.