On April 28, 2015, the SEC’s Division of Investment Management issued guidance to registered investment companies (“funds”) and registered investment advisers as part of the SEC’s continuing effort to help navigate entities it regulates through turbulent cybersecurity waters filled with both nation-state hackers and international cyber-criminals.1 Like previous guidance issued by the SEC to public companies2 and registered investments advisers,3 the SEC is seeking to make sure entities under its watch are “keeping their eye” on the proverbial cybersecurity ball by re-emphasizing certain important guidance issued in the OCIE Alert.
Importantly, the April 2015 Guidance notes that it was the product of many discussions with fund boards and advisers, and was designed with the “input from the Office of Compliance Inspections and Examinations’ review of adviser cybersecurity practices.”4 The April 2015 Guidance then goes on to list a variety of measures and considerations which the SEC continues to think are critical for good cybersecurity hygiene, including:
- Periodic assessments and reviews of the data that the firm collects, processes, and stores, as well as the security controls, processes, and governance procedures in place for the management of cybersecurity risk;
- Strategies in place to control access to the network via control of user credentials and privileges, as well as authentication methods to prevent unauthorized access;
- Data encryption technologies (which would include encryption of both “data at rest” and “data in transit” solutions);
- Incident response and data backup and recovery plans; and
- Written policies, procedures, and training materials to provide guidance to employees on applicable threats, and what measures can be taken to prevent, detect, and respond to such threats.
Though fundamentally there is nothing new in the April 2015 Guidance, we do take to heart the following statement:
In the staff’s view, funds and advisers should identify their respective compliance obligations under the federal securities laws and take into account these obligations when assessing their ability to prevent, detect April 30, 2015 Alert Cybersecurity, Data Privacy & Information Management SEC Division of Investment Management Provides Cybersecurity Guidance to Registered Funds and Advisers By Paul Ferrillo and David Wohl Weil, Gotshal & Manges LLP 2 and respond to cyber attacks. Funds and advisers could also mitigate exposure to any compliance risk associated with cyber threats through compliance policies and procedures that are reasonably designed to prevent violations of the federal securities laws.5 [emphasis supplied].
Coupled with the OCIE Alert and the SEC’s announcement of the early results of its cybersecurity “street sweeps” examination published on February 3, 20156 , we see the April 2015 Guidance as a reminder to registered funds and investment advisers that the SEC “says what it means, and means what it says” when it comes to cybersecurity, and that these entities should be fully prepared to answer questions related to the SEC’s cybersecurity guidance during the course of a routine SEC examination or as a result of a cybersecurity incident.