On April 27, 2015, the SEC’s Division of Investment Management (Division) published IM Guidance Update 2015-02 (Guidance). IM Guidance Updates do not carry the authority of a rule or regulation; they summarize the Division’s staff’s views on emerging industry issues. In this Guidance, the Division suggested broad cybersecurity measures to protect confidential and sensitive information related to the operations of registered investment companies and registered investment advisers. The Division acknowledged that it is not possible for a fund or adviser to anticipate and prevent every cyber-attack, but noted that comprehensive measures tailored to a firm’s individual circumstances will mitigate the impact of such attacks and related effects on fund investors and advisory clients. The Division divided its suggested measures into three categories: assessments, strategies, and written policies and training.

Assessments

The Division first noted the importance of routine, periodic assessments of all circumstances related to a firm’s electronic information, noting that a primary goal of such assessments should be to prioritize and mitigate risk. These internal assessments can be used to develop and refine a firm’s cybersecurity strategy. The Guidance recommended the following areas for assessment:

  • The nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses
  • The internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems
  • The security controls and processes currently in place
  • The impact should the information or technology systems become compromised
  • The effectiveness of the governance structure for the management of cybersecurity risk

The Guidance later indicated that assessments should not necessarily be limited to internal evaluations. After noting that their operations rely on a number of service providers, the Division stated that funds and advisers also may wish to consider assessing whether protective cybersecurity measures are in place at relevant service providers.

Strategies

The Guidance recommends that funds and advisers create strategies designed to prevent, detect and respond to cybersecurity threats. Such strategies could include:

  • Controlling access to various systems and data via:
    • Management of user credentials
    • Authentication and authorization methods
    • Firewalls and/or perimeter defenses
    • Tiered access to sensitive information and network resources
    • Network segregation
    • Removal of all non-essential software programs and services, and unnecessary user names and logins
    • Continuous software updates
  • Encrypting data
  • Protecting against the loss or unauthorized exportation of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or unauthorized exportation of sensitive data, or other unusual events
  • Implementing data backup and retrieval procedures
  • Developing an incident response plan

Written Policies & Training

The Division staff recommends implementing cybersecurity strategies through written policies and procedures and training that provide guidance to officers and employees concerning:

  • Applicable threats
  • Measures designed to prevent, detect and respond to such threats
  • Measures that monitor compliance with cybersecurity policies and procedures

The Guidance further states the staff’s view that funds and advisers should identify their respective compliance obligations under the federal securities laws and consider those obligations when assessing their ability to prevent, detect and respond to cyber-attacks. For example, a compliance program may address cyber risk as it relates to a firm’s obligations under the federal securities laws to detect and prevent identity theft, protect personal non-public information and process shareholder transactions.