On April 28, 2015, the Division of Investment Management (the “Division”) of the Securities and Exchange Commission (the “SEC”) published a Guidance Update on the cybersecurity of registered investment companies (“funds”) and registered investment advisers (“advisers”).1 This Guidance Update follows a Risk Alert published by the Office of Compliance Inspections and Examinations on February 3, 2015 and a Cybersecurity Roundtable hosted by the SEC last year on March 26, 2014. The Division published the Guidance Update to highlight the importance of the issue and to describe various measures that funds and advisers can consider when addressing cybersecurity risks.
Specific Guidance on Addressing Cybersecurity Risks
The Division believes that funds and advisers should prepare for cyber attacks based on the nature and scope of their businesses and their compliance obligations under the federal securities laws, as certain measures may be better suited than others, depending on the operations of a particular fund or adviser. Accordingly, in providing its guidance, the Division noted that funds and advisers should tailor their policies and procedures.
The Division’s specific guidance entails conducting periodic assessments of cybersecurity threats and the controls and processes in place, creating a strategy to address cybersecurity threats, and implementing that strategy by adopting policies and procedures as further detailed below.
- Periodic Assessments. Funds and advisers should conduct periodic assessments of:
- the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses;
- the internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
- the security controls and processes currently in place;
- the impact if the information or technology systems become compromised; and
- the effectiveness of the governance structure in managing cybersecurity risk.
- Creating a strategy to address cybersecurity threats. Funds and advisers should create, and routinely test, a strategy that is designed to prevent, detect and respond to cybersecurity threats, which could include:
- controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation, and system hardening (making technology systems less susceptible to unauthorized intrusions by removing all non- essential software programs and services, unnecessary usernames and logins, and by ensuring that software is updated continuously);
- protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events;
- data encryption, backup and retrieval; and
- the development of an incident response plan.
- Implementing the strategy. Funds and advisers should implement the strategy they created by adopting written policies and procedures.2 In implementing the strategy, funds and advisers should also:
- conduct training that provides guidance to officers and employees about applicable threats and measures to prevent, detect and respond to such threats; and
- consider educating investors and clients about how to reduce their exposure to cybersecurity threats concerning their accounts.
The Guidance Update provides that as part of their strategy, funds and advisers may wish to consider the use of outside resources, such as vendors, third-party contractors specializing in cybersecurity and technical standards, and topic-specific publications and conferences. They may also consider becoming members of the Financial Services – Information Sharing and Analysis Center, a global resource center established by the financial services sector for cyber and physical threat intelligence analysis and sharing. Other measures suggested in the Guidance Update include reviewing contracts with service providers to determine whether they sufficiently address technology issues and related responsibilities in the case of a cyber attack, and assessing whether any insurance coverage related to cybersecurity risk is necessary or appropriate.