The Division of Investment Management (Division) of the U.S. Securities and Exchange Commission (SEC) issued a Guidance Update on April 28, 2015 (Guidance) relating to the cybersecurity of registered investment companies and registered investment advisers (together, “firms”).1 Citing information gained through discussions with firms’ boards and senior personnel, and via the Office of Compliance Inspections and Examination’s (OCIE) 2014 cybersecurity examination sweep, the Division’s staff (Staff) stressed that firms need to review their cybersecurity measures and tailor their approaches to cybersecurity based on their particular circumstances. For further information regarding the results of the 2014 sweep, as well OCIE’s second wave of cybersecurity exams, please refer to Dechert OnPoint, The Evolving U.S. Cybersecurity Landscape: What Firms Want to Know.
This OnPoint (i) details the Staff’s suggestions as to how firms should address their cybersecurity risks and compliance obligations; and (ii) lays out issues for firms to consider as they create tailored cybersecurity programs in line with the Division’s expectations.
The Division’s Step-by-Step Process for Addressing Cybersecurity Risks
The Guidance sets forth a step-by-step approach as a starting point for firms to address their cybersecurity risks. The Staff explains that, at the outset, firms should conduct a periodic assessment of at least five different areas and, importantly, indicates that the assessment should encompass all of the affiliated entities with which the firm shares a network. The Guidance states that firms should assess:
- the nature, sensitivity and location of information the firm collects, processes and/or stores, and the technology systems it uses;
- internal and external cybersecurity threats to, and vulnerability of, the firm’s information and technology systems;
- security controls and processes currently in place;
- the impact if information or technology were to become compromised; and
- the effectiveness of the governance structure for the management of risk.
The Guidance next recommends that firms create a strategy to prevent, detect and respond to cybersecurity threats, indicating that the strategy could include, for example:
- controlling access to systems and data via user credentials, authentication and authorization methods, firewalls and other methods;
- data encryption;
- protecting against loss by restricting the use of removable storage;
- data backup and retrieval; and
- the development of an incident response system.
The Staff points out that periodic testing of such strategies may be appropriate. It also recommends that firms consider OCIE’s sample list of requests for information, published in connection with its cybersecurity initiative, when developing their strategies. For further information regarding the sample list of requests, please refer to Dechert OnPoint, SEC Staff to Conduct Broker-Dealer and Investment Adviser Examinations Focused on Cybersecurity.
The final recommendation of the Guidance is that firms implement the strategies developed through their self-assessments. When implementing those strategies, the Staff notes that firms should create written policies and procedures, conduct training that provides guidance to officers and employees regarding threats, and put in place measures to prevent, detect and respond to threats and ongoing compliance monitoring.
Guidance as to the Relationship Between Cybersecurity and Compliance Obligations
In addition to discussing how firms should address their cybersecurity risks, the Guidance points to compliance obligations relating to cybersecurity and arising from the federal securities laws. In doing so, the Staff provides examples for the ways in which a firm could consider cybersecurity in its compliance policies and procedures. The Staff highlights, among others, compliance obligations linked to:
- data protection and its relation to the Identity Theft Red Flags Rules2;
- fraudulent activity as it relates to internal personnel; and
- business continuity as it relates to an adviser’s fiduciary obligation in the event an adviser was unable to provide advisory services to its clients due to a cyber incident.
The Guidance also encourages firms to think about the degree to which their third-party service providers use cybersecurity controls and protective measures, as well as whether their contracts with those service providers address the technology and liability issues relating to cyber attacks.
What are the “Next Steps” for Financial Firms?
The Guidance’s step-by-step process, its lengthy discussion of specific actions for firms to consider when addressing their cybersecurity risks, and its explicit recommendation that firms “tailor their compliance programs based on the nature and scope of their business,” indicates that firms would be prudent to do more than merely update their current policies to mirror the language in the Guidance. Based on the Guidance, firms should instead have a series of conversations with internal and external experts on cybersecurity in order to review how the Guidance applies to their businesses and to determine how to create a comprehensive, and tailored, cybersecurity program. As part of this program, the following issues should be considered:
- How the federal cybersecurity laws apply to the firm and its affiliates.
- The types of information the firm collects and with whom it is shared.
- Whether the firm’s service providers have protective measures in place.
- The particular cybersecurity risks to which the firm and its affiliates are subject.
- The extent to which the firm has information security controls in place across its entire corporate network, and how these could be strengthened.
- Whether the firm currently educates or trains its employees, investors and clients as to how to prevent and respond to cybersecurity threats.
- How the firm monitors the implementation of its cybersecurity program and how it will engage in ongoing testing.
- Whether the firm has developed an incident response plan that could be implemented in the event of a data breach.
Considering these higher-level questions in conjunction with the Guidance’s more specific measures before adopting new policies will enable firms to tailor those policies to effectively address their unique business needs.
The Division has indicated that it sees cybersecurity as a dynamic field that will require its continued focus. By offering specific recommendations and “how-to’s” relating to the ways in which firms should approach cybersecurity and the related compliance issues, the Division suggests that it expects firms to take a more proactive approach to cybersecurity. As a result, firms should heed the Division’s advice and stay current with developments in the cybersecurity arena, not only to ensure compliance but for the protection of firm and investor information.