On April 28, 2015, the SEC's Division of Investment Management released cybersecurity guidance directed at registered investment companies (“funds”) and registered investment advisers (“advisers”). The guidance focused primarily on (1) conducting periodic assessments, (2) creating a strategy to prevent, detect and respond to cybersecurity threats, and (3) executing developed strategies through written policies, training and compliance.
In particular, the SEC recommends thorough assessments that identify:
- The nature, sensitivity and location of data processed or stored by funds or advisers;
- Internal and external cybersecurity threats and vulnerabilities impacting the data;
- Available security controls;
- The potential impact if the data or related technology systems are compromised; and
- The effectiveness of the governance structure for the management of cybersecurity risk.
Recommended strategies for addressing cybersecurity risks are said to include:
- Access controls (authentication and authorization, firewalls, tiered access to sensitive information, network segregation;
- Data encryption;
- Restricting the use of removable storage media and detecting unauthorized intrusions, data exfiltration, or other unusual events;
- Data backup and retrieval; and
- Developing an incident response plan.
The guidance directs those implanting such strategies to maintain written cybersecurity policies, provide training to employees concerning prevention, detection and response to cybersecurity threats, as well as monitor compliance with cybersecurity policies. Notably, the guidance indicates that funds and advisers could mitigate exposure to compliance risks associated with cyber threats through policies and procedures that are reasonably designed to prevent violations of the federal securities laws.
The SEC’s new guidance comes on the heels of other activity by government and self-regulatory agencies in the financial sector. For example, in early February 2015, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) published its Cybersecurity Examination Sweep Summary with an assessment of the industry’s vulnerability to cyber-attacks after examining 57 registered broker-dealers and 49 registered investment advisers. Shortly after the OCIE report, the Financial Industry Regulatory Authority (“FINRA”) issued aReport on Cybersecurity to assist the financial services sector in responding the cybersecurity threats. Notably, the SEC’s recent guidance suggests that funds and advisers consult the NIST Cybersecurity Framework, which has been gaining traction as a leading approach to comprehensive cybersecurity practices.
The SEC Investment Management division’s guidance is available here.