Continuing its emphasis on the importance of cybersecurity, the U.S. Securities and Exchange Commission (SEC) recently recommended measures that registered investment companies (“funds”) and registered investment advisers (“advisers”) may wish to consider when addressing cybersecurity risks, including:
- periodic assessments of the information collected, technologies used, security controls and processes, and governance structures;
- development of strategies, policies and procedures to prevent, detect and respond to cyber-attacks; and
- training of officers, employees, investors and clients on reducing exposure to cybersecurity threats.
In the Guidance Update, funds and advisers are advised to consider their exposure to compliance obligations under federal securities laws when assessing their exposure to cyber threats. The SEC recommends tailor-made compliance programs, based on the scope and nature of each business, that considers affiliated entities that share common networks as well as relevant service providers, and that address cyber security and rapid response capabilities.
The latest guidance reflects the SEC’s continuing focus on cybersecurity as a key compliance issue. A similar focus is being taken by other regulators, including FINRA (see our related post here). Canadian regulators are also active in the area of cybersecurity (for instance, OSFI’s cybersecurity self-assessment guide) and further scrutiny of businesses’ efforts in this area is expected.