In a recent investment management guidance update, the United States Securities and Exchange Commission (SEC) addressed the need for greater cybersecurity measures to protect confidential and sensitive information held by registered investment companies and registered investment advisers. The SEC identified several measures, in light of recent cyber-attacks on financial services firms, that funds and advisers may wish to consider in addressing cybersecurity risks, including:
- implementing strategies, through written policies and employee training, to detect, prevent and respond to security threats, such as controlling access to systems and data, data encryption, restricting the use of removal storage media, and incident response planning;
- conducting periodic assessments of the nature and location of sensitive information, the vulnerability of the firm’s information technology systems, existing security controls and processes, the likely impact of a systems breach, and the effectiveness of governance structures in managing cybersecurity risks; and
- creating a strategy designed to prevent, detect and respond to cybersecurity threats.