The SEC’s Division of Investment Management issued a guidance update last week reminding registered investment advisers and registered investment companies of the importance of cybersecurity and providing recommendations on specific measures that advisers and investment companies should consider in addressing their cybersecurity risks. Last week’s guidance update demonstrates the SEC’s continued focus on cybersecurity as part of its compliance initiatives. In April 2014, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) announced a cybersecurity exam initiative and, in a February 2015 Risk Alert, reported findings from that exam initiative. OCIE’s Risk Alert described the results from examinations of over 100 advisers and broker-dealers noting that approximately 80 percent of the firms examined had experienced some type of cyber-attack. Now, the Investment Management (“IM”) staff has weighed in with a number of security measures that investment companies and advisers should consider implementing to safeguard confidential and sensitive information. Advisers should be particularly mindful of this guidance as it will likely serve as a basis for any inspections by the staff dealing with cybersecurity.
In summary, the IM staff suggests the following:
- Periodic cyber-assessments aimed at risk prioritization and mitigation, including assessments of (1) the nature and location of information collected and stored on systems; (2) potential vulnerabilities; (3) current security protocols; (4) the potential impact of a breach; and (5) the governance structure’s ability to manage cybersecurity risk.
- Creation of a strategy designed to prevent, detect, and respond to cybersecurity threats, which might include (1) layered controls on system access, including authentication controls (such as complex passwords or multi-factor authentication) and technological controls (such as firewalls); (2) data encryption; (3) a restriction on the use of removable storage media; (4) data backup and retrieval, and (5) development of an incident response plan.
- Implementation of a strategy to provide guidance to officers and employees regarding potential cyber-threats and measures to prevent, detect, and respond to such threats.
- Development of compliance policies and procedures reasonably designed to prevent violations of the federal securities laws, including policies to prevent, detect, and respond to cybersecurity threats related to identity theft and protection, fraud, and business continuity, as required by Regulations S-P and S-ID.1
- Ongoing monitoring of compliance with cybersecurity policies and procedures.
- Evaluation of third-party service providers’ cybersecurity policies and procedures.
Advisers and investment companies should review the SEC’s latest guidance, available here, and consider whether any changes to current compliance programs are warranted. Registrants should also refer to OCIE’s prior Risk Alerts on the cybersecurity examination, available here and here, summarizing exam results and providing an appendix of sample exam information requests. The Alerts provide important guidance regarding OCIE’s expectations of the components of cybersecurity policies and procedures.