SEC Guidance Update on Cybersecurity

In April 2015, the SEC’s Division of Investment Management (“the Division”) issued a Guidance Update on Cybersecurity. The Update did not notify us of any impending rules or requirements, but did provide suggestions “that funds and advisers may wish to consider when addressing cybersecurity risks.” These suggestions also reflect information received from the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) from the Cybersecurity Examination Sweep conducted in 2014. Cybersecurity has been identified again this year as one of OCIE’s Examination Priorities.

 

CybersecurityMeasures that funds and advisers may wish to consider in addressing cybersecurity risk include:

  • Conducting a periodic assessment of:
    • the nature, sensitivity and location of information collected, processed and/or stored
    • internal and external cybersecurity threats
    • security controls and processes currently in place
    • the impact should the information or technology systems become compromised
    • the effectiveness of the governance structure for the management of cybersecurity risk
  • Based on the above assessment a plan should be created that is designed to prevent, detect and respond to cybersecurity threats, with the following considerations:
    • controlling access to various systems and data
    • using data encryption
    • protecting against the exfiltration of data by restricting the use of removable storage media
    • data backup and retrieval
    • developing an incident response plan
  • As part of your annual review, the following steps should be taken based on the above assessment and creation of a plan:
    • establishing written policies and procedures
    • conducting training that provides guidance to employees concerning applicable threats
    • identifying measures to prevent, detect and respond to such threats
    • monitoring compliance with cybersecurity policies and procedures

 

An effective risk assessment would assist in identifying potential cybersecurity threats and vulnerabilities allowing the adviser to better prioritize, address, and mitigate risk, and routine testing of strategies could enhance the effectiveness of any plan. It’s not possible for a fund or adviser to anticipate and prevent every cyberattack, but a plan to address cybersecurity and the ability to provide a rapid response may assist funds and advisers in mitigating the impact of any such attacks and any related effects on fund investors and advisory clients, and complying with the federal securities laws.

 

View the SEC Guidance Update
Comments are closed.