The Securities and Exchange Commission (SEC) continues to focus on cybersecurity. In April 2015, the SEC’s Division of Investment Management issued cybersecurity guidance in the form of a Guidance Update.1 The Guidance Update followed on the heels of, and was informed by, a “sweep” examination conducted by the SEC’s Office of Compliance Inspections and Examinations.
While the Guidance Update applies on its face to registered advisers and funds, it is instructive as best practices for unregistered funds and advisers over whom the SEC retains general anti-fraud authority.
The Guidance Update sets forth a three-step approach for registered advisers and investment companies:
- Assess current threats, vulnerabilities and defensive measures;
- Design a strategy to prevent, detect and respond to cybersecurity threats; and
- Implement that strategy through written policies and procedures, internal personnel training, and external client education.
- Periodic Assessments. The Division recommends that a fund or adviser periodically assess its cybersecurity situation.
The Division suggests that firms include the following elements in any cybersecurity assessment:
- The nature, sensitivity, and location of all information (including but not limited to personal information) that it collects, processes, and/or stores along with the technology systems it uses;
- Internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
- Currently existing security controls and processes;
- The impact of the firm’s information or technology systems becoming breached; and
- The effectiveness of the firm’s governance structure in the context of managing cybersecurity risk.
- Prevention, Detection, and Response. The Division lists specific techniques that advisers or funds may want to employ to prevent, detect, and respond to cybersecurity threats. These include:
- Controlling access to firm systems, including through passwords, user authentication, and other methods;
- Data encryption;
- Restricting the use of removable storage media (e.g., flash drives);
- Deploying software that monitors technology systems for unauthorized intrusions;
- Network segregation;
- “System hardening”;
- Data back up and retrieval;
- Developing an incident response plan; and
- Routine testing of such strategies
The Division encourages firms to engage third-party contractors specializing in cybersecurity and technical standards, learning from topic-specific publications and conferences, and participating in the Financial Services—Information Sharing and Analysis Center (FS-ISAC), an industry resource for cyber and physical threat intelligence analysis and sharing.
- Implementation. The Division suggests that the cybersecurity strategy be implemented through written policies and procedures and training to officers and employees. The Guidance Update reminds advisers and funds that they should consider reviewing their contracts with their service providers to determine whether they sufficiently address technology issues and related responsibilities in the case of a cyberattack.
Next Steps for Advisers
The Guidance Update expressly contemplates that liability may result from a failure to take appropriate precautions concerning information security. It is clear from the Guidance Update that the Division expects greater effort, more tailoring and better training in the area of cybersecurity. This Guidance Update will likely serve as a basis for any inspections by the SEC staff dealing with cybersecurity. Accordingly, investment advisers may want to expressly employ some or all of these standards and language in their compliance policies and next annual compliance review.