Cybersecurity continues to be a priority for the Securities and Exchange Commission. The SEC’s Office of Compliance Inspections and Examinations conducted a cybersecurity “sweep” examination in 2014 and released a summary of its results in early 2015. The SEC’s Division of Investment Management — which regulates investment companies and investment advisers — has now issued additional cybersecurity guidance in the form of a Guidance Update.
Most registrants will find the Guidance Update to be fairly broad and high-level. It does, however, provide more detail on what reasonable security measures are than the SEC has previously offered, and it expressly confirms that mishandling cyber risks can result in violations of the securities laws by investment companies and investment advisers.
The legal, compliance and information security officers of private and registered fund managers should review this guidance and determine what additional measures within their organization are warranted.
Cybersecurity Guidance Three-Step Approach. The Guidance Update sets forth a three-step approach for registered advisers and investment companies to consider:
1. Assess threats, vulnerabilities and defensive measures currently in place;
2. Design a strategy to prevent, detect and respond to cybersecurity threats; and
3. Implement that strategy through written policies and procedures, internal personnel training and external client education.
Periodic Assessments. For the first step, the Division recommends that a fund or adviser consider periodically assessing “the nature, sensitivity and location of information” that it “collects, processes and/or stores” along with “the technology systems it uses.” Notably, this recommendation is not limited to investors’ personal information but instead extends to all of a firm’s data and intellectual property. Such an assessment amounts to maintaining a detailed inventory and understanding of a firm’s cyber infrastructure, including physical devices, the software platforms and applications used on the network, network resources, connections, and “data flows (including locations where customer data is housed).” The Division also suggests that firms include four additional elements in any cybersecurity assessment:
- Internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
- Currently existing security controls and processes;
- The impact of the firm’s information or technology systems becoming compromised; and
- The effectiveness of the firm’s governance structure in the context of managing cybersecurity risk.
While the content of this portion of the Guidance Update does not materially extend beyond the implications of the April 2014 Risk Alert, it provides a standard for a firm’s assessment and a lexicon for its defense. As the SEC examination staff likely will incorporate this guidance into their efforts, many managers may want to expressly employ this standard and vocabulary in their next annual compliance review.
A Prevention, Detection and Response Strategy. In the second step of the Guidance Update’s approach, the Division goes further than the earlier Risk Alerts in listing specific techniques to consider using in a strategy to “prevent, detect and respond to cybersecurity threats.” These include:
- Data encryption;
- Restricting the use of removable storage media (e.g., flash drives);
- Deploying software that monitors technology systems for unauthorized intrusions;
- Network segregation; and
- “System hardening.”
The Division also encourages firms to broaden the ways that they gather information on cyber threats and suggests that they might do so by engaging “third-party contractors specializing in cybersecurity and technical standards,” learning from “topic-specific publications and conferences,” and “participating in the Financial Services—Information Sharing and Analysis Center (FS-ISAC).”
This aspect of the Guidance Update provides compliance officers with a framework to present to a firm’s internal or external technical consultants and — again, by setting out a relatively specific list of techniques — presents benchmarking criteria that many compliance officers will want to utilize in reviews of their firms’ cybersecurity strategy.
Implementation. The third step of the Guidance Update is interesting for its mix of conventional and new guidance. The Division suggests that the cybersecurity strategy be implemented through “written policies and procedures and training … to officers and employees[.]” This is relatively generic guidance that applies to, and has been given in, numerous situations. What is notable in the Guidance Update is the fairly strong recommendation to “educate investors and clients about how to reduce their exposure to cyber security threats concerning their accounts.”
Policy and Operational Integration In the Guidance Update, the Division expressly recognizes the need to treat cybersecurity as a thematic issue and not as a policy to be isolated. The Guidance Update specifically identifies identity theft (“red flags”), data protection, operational controls and business continuity as related concepts that require an integrated cybersecurity defense effort. This endorsement of an integrated approach suggests that firms should undertake a comprehensive review of their compliance manuals to identify policies or procedures that should be tailored.
The Division also notes expressly that this effort will require a holistic approach in terms of personnel and organizational responsibilities; the Guidance Updatespecifically contemplates involvement of both compliance and operations functions.
In addition, the Guidance Update reminds advisers and funds that this is not solely an internal effort. It states that firms and funds should look at third-party vendors and products and “consider reviewing their contracts with their service providers to determine whether they sufficiently address technology issues and related responsibilities in the case of a cyber attack.”
Potential Liability The Guidance Update expressly contemplates that liability may result from a failure to “tak[e] appropriate precautions concerning information security.” In framing this discussion, the Division states that “fraudulent activity could result from cyber or data breaches from insiders, such as fund or advisory personnel, and funds and advisers may therefore wish to consider taking appropriate precautions concerning information security,” citing as support anti-fraud and fiduciary rules under both the Investment Company Act and the Investment Advisers Act. The Division’s statement is especially striking given that some courts have held that negligence is sufficient to ground some claims under these acts.
Underscoring this implication of liability for failing to prepare thoroughly for cybersecurity challenges, the Guidance Update closes with this statement:
Appropriate planning to address cybersecurity and a rapid response capability may, nevertheless, assist funds and advisers in … complying with the federal securities laws.
Next Steps for Advisers It is clear from the Guidance Update that the Division is raising the bar for registered advisers and funds in the area of cybersecurity. Greater effort is expected, more tailoring is required and better training is mandated. Falling short could potentially result in liability under the federal securities laws.
Many (or most) advisers and funds simply will not be able to handle all of this internally. Managers are likely to need help from security and cybersecurity experts (for tasks such as penetration testing and vulnerability analyses) as well as from legal and compliance experts.