Guidance Highlights the Importance of Cybersecurity for Funds and Advisers and Suggests Measures To Consider When Addressing Cybersecurity Risks
On April 28, 2015, the Securities and Exchange Commission’s Division of Investment Management released cybersecurity guidance (the “Guidance”) for registered investment companies (“funds”) and registered investment advisers (“advisers”). The Guidance explains that the Division has identified the cybersecurity of funds and advisers as an important issue and discusses various cybersecurity risks and measures to be considered when addressing those risks. The principal recommendations are for funds and advisers to consider, as appropriate: (1) periodic assessments of cybersecurity threats and vulnerabilities, (2) a prevention, detection and response strategy, and (3) policies, procedures, training and education. The Guidance is clear that these suggested measures are not intended to be comprehensive, and that funds and advisers should determine whether these or other measures need to be considered.
While the Guidance acknowledges that “it is not possible for a fund or adviser to anticipate and prevent every cyber attack,” it warns that cybersecurity risks can contribute to a violation of the federal securities laws by the fund or adviser. The Guidance also provides that “because of the rapidly changing nature of cyber threats, the Division will continue to focus on cybersecurity and monitor events in this area.”
The Guidance1 announces that the Division has identified cybersecurity of funds and advisers as an “important issue,” underscored by the facts that (1) a wide range of financial services firms has been subject to cyber attacks, and (2) both funds and advisers increasingly use technology to conduct their business activities and need to protect confidential and sensitive information related to these activities from third parties, including information concerning fund investors and advisory clients. The Guidance is designed to highlight the importance of the issue and to discuss measures that funds and advisers may wish to consider in addressing cybersecurity risks, giving due consideration to their particular circumstances.
A. CYBERSECURITY MEASURES
The measures highlighted by the staff are divided into three main groups: (1) periodic assessments, (2) prevention, detection and response strategies, and (3) written policies and procedures, training and education. The Guidance cautions that the suggested measures are not intended to be comprehensive. Other measures may be better suited to the operations of a particular fund or adviser, and the Guidance encourages each fund and adviser to determine whether these or other measures need to be considered in connection with addressing cybersecurity risks.
1. Periodic Assessments
The Guidance encourages consideration of periodic assessments to assist in “identifying potential cybersecurity threats and vulnerabilities so as to better prioritize and mitigate risk.”
Five areas of focus were identified for these assessments:
- The nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses.
- Internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems.
- Security controls and processes already in place.
- The impact should the information or technology systems become compromised.
- The effectiveness of the governance structure for the management of cybersecurity risk.
If the fund or adviser is affiliated with other entities that share common networks, the fund or adviser should consider whether it would be appropriate to conduct an assessment of the entire corporate network.
2. Strategies to Prevent, Detect and Respond to Cybersecurity Threats
The Guidance suggests consideration of strategies designed to prevent, detect and respond to cybersecurity threats. Seven components of a strategy were identified:
- Controlling access to systems and data through management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation and system hardening.2
- Data encryption.
- Protection against loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events.
- Mechanisms to monitor for ongoing and new cyber threats by gathering information from outside sources, including vendors, third-party contractors and topic-specific publications and conferences. The Guidance also encourages consideration of participation in the Financial Services—Information Sharing and Analysis Center (FS-ISAC), and highlights the systemic benefits of participation in information sharing organizations such as FS-ISAC, through which funds and advisers can share cyber threat information with other members in the financial services sector.
- Data backup and retrieval.
- Implementation of an incident response plan.
- Routine testing to enhance the effectiveness of any strategy.
3. Written Policies and Procedures, Training and Education
The Guidance suggests consideration of written policies and procedures to implement any strategies and training of officers and employees. The Guidance also provides that firms may wish to educate investors and clients about how to reduce their exposure to cybersecurity threats concerning their accounts.
B. CYBERSECURITY RISKS AND COMPLIANCE WITH FEDERAL SECURITIES LAWS
The Guidance highlights certain compliance risks under the federal securities laws in connection with cybersecurity threats and vulnerabilities. For example:
- Identity Theft and Data Protection. Funds and advisers should consider measures to protect commercial or market-sensitive information which, if disclosed, may “adversely affect customers’ interests.”3
- Fraud. As fraudulent activity could result from cyber or data breaches from insiders, such as fund or advisory personnel, funds and advisers should consider taking appropriate precautions.4
- Business Continuity. As an example, an adviser’s fiduciary obligation to its clients includes not placing clients at risk as a result of an adviser’s inability to provide advisory services.
- Disruptions in Service. As an example, if an open-end fund is prevented by a cyber attack from processing a redemption request from a shareholder, the Guidance suggests that the fund may be in violation of Section 22(e) of the Investment Company Act of 1940 and Rule 22c-1 thereunder.5 The Guidance notes that cyber attacks could also prevent both funds and advisers from investing or managing assets in a manner consistent with their stated investment policies.
The Guidance highlights that funds and advisers may mitigate exposure to any compliance risk associated with cyber threats through compliance policies and procedures that are reasonably designed to prevent violations of the federal securities laws.6 Additionally, because funds and advisers rely on a number of service providers in carrying out their operations, funds and advisers may also wish to consider assessing whether protective cybersecurity measures are in place at relevant service providers. As an example, service providers may be given limited access to a fund’s technology systems that may inadvertently enable unauthorized access to data held by the fund. Funds, as well as advisers, may wish to consider reviewing their contracts with their service providers to determine whether their contracts sufficiently address technology issues and related responsibilities in the case of a cyber attack. The Guidance also encourages funds and advisers to consider whether insurance coverage related to cybersecurity risk is necessary or appropriate.
Although the Guidance indicates flexibility in recognition that there is no “one size fits all” answer, because funds and advisers are varied in their operations and must tailor their compliance programs based on the nature and scope of their businesses, and the Guidance acknowledges that “it is not possible for a fund or adviser to anticipate and prevent every cyber attack,” it also indicates that “because of the rapidly changing nature of cyber threats, the Division will continue to focus on cybersecurity and monitor events in this area.” In light of the Division’s identification of the cybersecurity of funds and advisers as an important issue, and the warning in the Guidance that cybersecurity risks can contribute to a violation of the federal securities laws by the fund or adviser, funds and advisers should consider whether the cybersecurity measures identified in the Guidance—or other measures—would be appropriate.