Registered investment advisers should periodically assess their cybersecurity vulnerabilities, create strategies to respond, and make sure they are making the strategies work.  So says the Division of Investment Management of the Securities and Exchange Commission (SEC), which has been highlighting the importance of cybersecurity issues for registered investment advisers for quite some time, and just released updated guidance on the issue.  Because the nature of cyber threats is always evolving, we can expect the SEC to continue this increased focus on and monitoring of cybersecurity issues in the future.  

The increasing number of cyber-attacks highlights the need for continued vigilance by funds and investment advisers, including periodic reviews of likely cybersecurity risks and periodic fine-tuning and updating of cyber security policies to address those risks.   It is not only the SEC that is interested in this process and the policies a fund or adviser may adopt to address cybersecurity risks.  Clients, limited partners and other investors increasingly focus on this issue as part of the diligence behind initial retention and investment decisions, and also during their own periodic cybersecurity risk assessments.  

In its most recent guidance, the SEC highlighted a number of cybersecurity considerations for investment advisers and funds, including the following: 

1)  You should conduct periodic assessments of: 

  • The nature, sensitivity and location of information that the fund or adviser collects, processes and/or stores, and the technology systems it uses to do so;  
  • The cybersecurity threats to and vulnerabilities of the fund’s or adviser’s information and technology systems, from both internal sources and external sources;  
  • The security controls and processes that the fund or adviser currently has in place, and their relative effectiveness at addressing cybersecurity threats and vulnerabilities;  
  • The likely impact to the fund or adviser as well as to investors if any information or technology systems are compromised; and  The overall effectiveness of the fund’s or adviser’s management of cybersecurity risk, including whether risks are identified and appropriately prioritized and mitigated. 

2)  You should develop and periodically evaluate and update strategies to prevent, detect and respond to cybersecurity threats.  As with any other compliance policies or procedures, you should test all cybersecurity strategies routinely to enhance their effectiveness.  The SEC highlighted the following strategies in particular:  

  • Controlling access to sensitive systems and data (by, for example, managing user credentials, adopting appropriate authentication and authorization methods, firewalls and/or perimeter defenses, mandating tiered access to sensitive information and network resources, and/or adopting appropriate network segregation);  
  • Enforcing data encryption where appropriate;  
  • Restricting the use of removable storage media and monitoring systems for unauthorized intrusions, deletion or removal of sensitive data, or other unusual events;  
  • Implementing appropriate data backup and retrieval systems; and  
  • Developing an appropriate incident response plan.  

3)  You should adopt and implement written cybersecurity policies and procedures, train employees to prevent, detect, recognize and respond to such threats, and monitor and enforce compliance with all cybersecurity policies and procedures.

As with any other risk, cybersecurity compliance policies and procedures should be specifically tailored to the nature and scope of the particular fund’s or adviser’s business. Additionally, funds and advisers should consider whether third party service providers have adopted appropriate protective cybersecurity measures, and undertake periodic diligence to verify that appropriate cybersecurity measures have been taken.

Although it is not possible for any fund or adviser to anticipate and prevent every cyber-attack, increased awareness and focus should lessen the risk of being caught unaware, and mitigate potential losses.