On April 28, 2015, the staff of the Division of Investment Management of the SEC published a Guidance Update addressing cybersecurity risks and the need for funds and advisers to protect confidential and sensitive information concerning fund investors and advisory clients. The staff noted that cyber-attacks on a wide range of financial services firms highlight the need for firms to review their cybersecurity measures.
The staff remarked that funds and advisers should identify their respective compliance obligations under the federal securities laws and take into account these obligations when assessing their ability to prevent, detect and respond to cyber-attacks. The staff identified a number of measures that funds and advisers may wish to consider in addressing cybersecurity risk, including the following to the extent they are relevant:
- Conduct a periodic assessment of: (1) the type, sensitivity and location of information that the firm collects, processes and/or maintains, and the technology systems it uses for such purposes; (2) internal and external cybersecurity threats and vulnerabilities of the firm’s information and technology infrastructure; (3) security controls and processes currently in place; (4) the potential consequences of a breach in the firm’s information or technology systems; and (5) the effectiveness of the governance structure for the management of cybersecurity risks.
- Create a cybersecurity strategy to mitigate, identify and respond to cybersecurity threats, including: “(1) controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation and system hardening; (2) data encryption; (3) protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events; (4) data backup and retrieval; and (5) the development of an incident response plan.”
- Implement the cybersecurity strategy by means of written policies and procedures and through training that enables officers and employees to appreciate applicable threats and understand the measures designed to prevent, identify and respond to such threats, and that monitor compliance with such policies and procedures.
- The staff noted that because funds and advisers are varied in their operations, they should tailor their compliance programs based on the nature and scope of their businesses. Additionally, the staff noted that funds and advisers may also wish to consider assessing whether protective cybersecurity measures are in place at relevant service providers. The staff recognized that it is not possible for a fund or adviser to anticipate and prevent every cyber-attack, but that a fund’s or adviser’s appropriate planning to address cybersecurity and a rapid response capability may assist funds or advisers in mitigating the impact of any such attack, as well as complying with the federal securities laws.
The Guidance Update is available at: http://www.sec.gov/investment/im-guidance-2015-02.pdf