The Division of Investment Management of the Securities and Exchange Commission issued guidance to registered investment companies and advisers regarding cybersecurity. The guidance recommends three prongs: investment companies and advisers should (1) periodically assess the type, sensitivity and location of data they oversee at any time; internal and external cybersecurity threats; already implemented protective measures; the repercussions of a breach; and the governance structure related to cybersecurity risks; (2) implement written policies and procedures to avoid, detect and respond to cybersecurity breaches; and (3) ensure appropriate training to employees and education to clients. The Division also recommends that investment companies and advisers routinely test their cybersecurity policies and procedures; utilize software that monitors systems for cybersecurity breaches; and assess the cybersecurity programs of third-party service providers and their effectiveness. Finally, the Division notes that one size does not fit all, and that “[b]ecause funds and advisers are varied in their operations, they should tailor their compliance programs based on the nature and scope of their business.” Earlier this year, both the Office of Compliance Inspections and Examinations and the Financial Industry Regulatory Authority published observations from their review of cybersecurity practices at securities industry firms—on both the buy and sell sides. FINRA also identified principles and effective practices firms should consider to address cybersecurity threats. (Click here for details in the article, “Industry Watchdogs Warn Brokers and Advisory Firms on Cybersecurity Threats” in the February 8, 2015 edition of Bridging the Week.)
Compliance Weeds: As I have written before, there are only two types of financial services firms: those that have experienced cybersecurity breaches and addressed them, and those that have experienced cybersecurity breaches and did not know. By now all financial service firms—no matter what size—should have assessed or be in the process of assessing the scope of their data (e.g., customer information, proprietary), potential cybersecurity risk, protective measures in place, consequences of a breach and cybersecurity governance (e.g., how would they react if there were a breach). Engaging an outside consultant to try to penetrate a firm’s system is also advisable, as is ensuring that each third-party service provider that accesses a firm’s data has its own, robust cybersecurity program. Only with such information can an appropriate cybersecurity program be developed, tailored to the size, risks and unique business of a firm.