It’s Monday morning — do you know your privacy/security status?
Here are a few bits and bytes to start your week.
SEC to Registered Investment Advisers and Broker-Dealers: It’s Your Turn to Pay Attention to Cybersecurity
The Division of Investment Management of the Securities & Exchange Commission (SEC) has weighed in on cybersecurity of registered investment companies (“funds”) and registered investment advisers (“advisers”) as an important issue because both funds and advisers increasingly use technology to conduct their business activities, and need to protect confidential and sensitive information related to these activities from third parties. That information includes information concerning fund investors and advisory clients. We’ve summarized key points from the recently-issued Guidance.
The Guidance recommends a number of measures that funds and advisers may wish to consider in addressing cybersecurity risk, including:
- Conduct a periodic assessment of:
- the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses;
- internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
- security controls and processes currently in place; and
- the impact should the information or technology systems become compromised; and the effectiveness of the governance structure for the management of cybersecurity risk.
- Create a strategy that is designed to prevent, detect and respond to cybersecurity threats, such a strategy could include:
- controlling access to:
- various systems and data via management of user credentials;
- authentication and authorization methods;
- firewalls and/or perimeter defenses;
- sensitive information and network resources;
- network segregation;
- system hardening; and
- data encryption.
- protecting against the loss or exfiltration of sensitive data by:
- restricting the use of removable storage media; and
- deploying software that monitors technology systems for:
- unauthorized intrusions;
- loss or exfiltration of sensitive data; or
- other unusual events.
- data backup and retrieval; and
- the development of an incident response plan
- routine testing of strategies could also enhance the effectiveness of any strategy.
- Implement the strategy through:
- written policies and procedures; and
- training that:
- provides guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats; and
- monitors compliance with cybersecurity policies and procedures.
Most of this should not be a surprise to any business dealing with sensitive financial information these days, but a recent SEC cybersecurity sweep examination by the SEC’s Office of Compliance Inspections and Examinations (OCIE) found that 88 percent of the broker-dealers (BDs) and 74 percent of the registered investment advisers (RIAs) they visited experienced cyber-attacks directly or indirectly through vendors.
Penn State University Confirms Cyberattack Originated in China
If you’re studying at Penn State’s College of Engineering, you will not have access to the Internet for a while. The University said last week that of two recent cyber attacks at the College, at least one was carried out by a “threat actor” based in China. Penn State was alerted to a breach by the FBI in November and has been investigating since – during that time, a 2012 breach was also discovered. The 2012 breach apparently originated in China, and compromised servers containing information on about 18,000 people.
For more: Cyberattack on Penn State University
Digital Advertising Alliance to Enforce Mobile App Principles
Starting September 1, the Digital Advertising Alliance (DAA) will begin to enforce its Application of Self-Regulatory Principles to the Mobile Environment. The DAA issued the mobile principles back in July of 2013 (see our post here), but delayed enforcement while the DAA implemented a choice mechanism for the mobile environment. Mobile tools for consumers were released in February: App Choices and the Consumer Choice Page for Mobile Web.
The Guidance addresses mobile-specific issues such as privacy notices, enhanced notices and opt-out mechanisms for data collected from a particular device regarding app use over time and cross-app data; privacy notices, enhanced notices and opt-in consent for geolocation data; and transparency and controls — including opt-in consent — for calendar, address books, photo/video data, etc. created by a user that is stored on or accessed through a particular device.
After September 1, any entity that collects and uses any of this type of data will be required to demonstrate compliance with the Guidance or risk being subject to the DAA’s accountability mechanism.