The Securities and Exchange Commission (“SEC”) has published a Guidance Update setting out cybersecurity concerns and advice for the registered investment companies and investment advisers which it regulates. This publication comes only a few months after a previous guidance had been published by the SEC concerning brokerage and advisory firms, as we previously reported.
According to the new Guidance Update, there are number of measures that funds and advisers may wish to consider in addressing cybersecurity risk, including the following:
- Conduct a periodic assessment of the nature, sensitivity and location of information that the firm collects, processes or stores, and the technology systems it uses and the impact of a scenario by which the information systems becomes compromised. In addition, it is necessary to assess the effectiveness of the governance structure for the management of cybersecurity risks.
- Create a strategy that is designed to prevent, detect and respond to cybersecurity threats.
- Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures.