SEC Issues New Cybersecurity Guidance for Investment Advisers and Investment Companies

The SEC’s Division of Investment Management recently released new guidance to registered investment advisers and investment companies regarding cybersecurity. The SEC has previously identified cybersecurity as an important issue and continues to reiterate advisers’ need for a suitable plan with respect to cybersecurity.

The staff completed a sweep of over 100 firms focusing on preparedness concerning cybersecurity in 2014 and is now planning a second phase of their cybersecurity initiative this summer. Additionally, David Glockner, director of the SEC's Chicago Regional Office, said at the Practising Law Institute's annual SEC Speaks conference in March that "Cyber security... is an area where we have not brought a significant number of cases yet, but is high on our radar screen".

In their newly-released Guidance, the SEC highlighted a number of specific practices and measures that funds and advisers should consider in addressing their cybersecurity risk, including the following:

Conduct a periodic assessment of:

  1. the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses;
  2. internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
  3. security controls and processes currently in place;
  4. the impact should the information or technology systems become compromised; and
  5. the effectiveness of the governance structure for the management of cybersecurity risk.

An effective assessment would assist in identifying potential cybersecurity threats and vulnerabilities so as to better prioritize and mitigate risk.

Have a strategy designed to prevent, detect and respond to cybersecurity threats. Such a strategy could include:

  1. controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation, and system hardening to prevent cyber threats from insiders;
  2. data encryption;
  3. protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events;
  4. data backup and retrieval; and
  5. the development of an incident response plan.

Routine testing of strategies could also enhance the effectiveness of any strategy.

• Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures. Firms may also wish to educate investors and clients about how to reduce their exposure to cyber security threats concerning their accounts.

The guidance also recommends that funds and advisers review both their internal operations and compliance programs to ensure they have in place adequate policies and procedures to mitigate exposure to any cybersecurity risks. For example, a fund or an adviser could address cybersecurity risk as it relates to:

  • identity theft and data protection (e.g., Regulations S-P and S-ID)
  • fraud
  • business continuity and other disruptions that could affect, for instance, a fund’s ability to process shareholder transactions

Additionally, where funds and advisers rely on service providers in carrying on their operations, the SEC suggests assessing such service providers for adequate cybersecurity measures. For example, service providers may be given access to a firm or fund’s technology systems that may inadvertently provide unauthorized access to data. Funds and advisers should also consider reviewing their contracts with their service providers to determine whether they sufficiently address technology issues and related responsibilities in the case of a cyber attack. Funds and advisers may also wish to consider assessing whether any insurance coverage related to cybersecurity risk is necessary or appropriate.

Because of the rapidly changing nature of cyber threats and the increased dependence on technology in the financial services sector, the SEC stated that they will continue to focus on cybersecurity and monitor events in this area.

Our Perspective

The SEC has up to this point been raising awareness of cybersecurity issues in the industry. OCIE released a Risk Alert in April 2014 that set forth a detailed set of questions that advisers and broker-dealers were expected to be able to respond to in an SEC examination. The SEC then followed up with sweep exams of over 100 broker-dealers and investment advisers in 2014, and then published their summary findings in a February 2015 Cybersecurity Risk Alert.

The SEC also recently announced plans to conduct a second phase of cybersecurity exams this summer, which will include on-site visits. With the publication of the new Guidance, we expect that the SEC’s exams will now move from education to testing what firms have done regarding cybersecurity, and the extent to which their policies and procedures are implemented as written.

We think in future examinations, the SEC will expect firms to have addressed the specific items in the Guidance, and there may even be a presumption by some examiners that the Guidance be followed. Accordingly, advisers and funds should be well prepared to demonstrate their assessment, monitoring and testing efforts and the policies and procedures they have adopted as a result.

Funds and advisers, at a minimum, should take action in the following areas (and where no further action is taken, determine – and even be prepared to demonstrate -- that such items are not relevant to them):

  1. Conduct a periodic risk assessment of their data, systems, and vendors, and identify whether there are any risks that should be mitigated.
  2. Have written information security policy and procedures (WISP) that outline the safeguards in place to ensure confidential data is protected (e.g., network firewalls; strong passwords and other user authentications; controlling access to more sensitive data; disabling USB ports).
  3. Assess whether there is effective governance and oversight of cybersecurity risks.
  4. Conduct routine testing and monitoring of systems and controls, and ensuring they are updated for the latest security patches.
  5. Have an incident response plan (and team) to have a rapid response capability in the event of a cybersecurity breach or threat.
  6. Have written policies and procedures. Consider specific practices or areas that present cybersecurity risks such as BYOD; cloud services; BCP/disaster recovery plans; and identity theft or other fraud.
  7. Do due diligence on service providers especially if you are dependent on them to conduct activities for the fund or the adviser.
  8. Assess the need for cyber liability insurance.

Because funds and advisers are varied in their operations, the SEC expects funds and advisers to tailor their compliance programs based on the nature and scope of their businesses. The Guidance states that “funds and advisers will be better prepared if they consider the measures discussed herein based on their particular circumstances when planning to address cybersecurity and a rapid response capability.”

In the Guidance, the SEC stated it recognizes that is it not possible for a fund or adviser to anticipate and prevent every cyber attack. But we believe that the SEC will expect funds and advisers to have a plan that addresses cybersecurity risks, and in the event of an incident to have controls in place to mitigate the risks. We believe that a failure by an adviser or a fund to have sufficiently addressed cybersecurity risks consistent with the Guidance will lead to SEC deficiency findings, even in the absence of a cyber attack or other incident.

SEC3 can assist your firm in creating, implementing and maintaining your cybersecurity policies and procedures. For further information, please contact your SEC3 representative or contact us at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .


Get the latest compliance news and insights - delivered weekly. The SEC3 Communique covers all compliance topics. CCO3 focuses on CCO topics.
tip: check both to keep informed!


2018 - Are you ready for your next SEC exam?

The pool of registered investment advisers that will be subject to an SEC exam in 2018 is at the highest level seen in years. The SEC projects it will examine... read more »

Navigating the Changes to Form ADV

On August 25, 2016, the U.S. Securities and Exchange Commission adopted numerous substantive and technical amendments to Form ADV. While the adopting release required advisers to begin complying with the... read more »

Overlooked Benefits of E&O/D&O

While asset managers should always be aware of the protections provided by their E&O/ D&O coverage, there are more reasons than ever to think about it now. The SEC continues to... read more »

SEC3 Newsletter

Commentary: How Compliance Officers & Firms Can Help Limit CCO Personal Liability This article originally appeared on the Thomson Reuters Regulatory Intelligence subscription service for compliance and risk professionals and is... read more »

Wishing One-and-All a Happy, Healthy and Prosperous New Year

We hope each of you found some peace and tranquility in the company of loved ones this holiday season and want to wish one-and-all a happy, healthy and prosperous New... read more »

Understanding How to Mitigate Liability and Navigate Insurance Options (Part II)

In June, we shared our thoughts around common insurance gaps and insurance riders that CCOs as well as managers should understand. One of the gaps we shared related to pre-claim... read more »


Webinar: 2018 SEC Exam Priorities & Recent Exam Highlights

Don’t miss the opportunity to meet with us in person to discuss the topics that matter most to you. Tobin S. Cochran, Managing Member/President of Focus 1 Associates, LLC and...

Chief Compliance Officer Roundtable: Breakfast Briefing - February 7, 2018

When: February 7, 2018 Where: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 | 22nd Floor Boardroom | Phone: 212.885.5000 Schedule: 9:00-9:30am - Networking...

Upcoming Events - September & October 2017

Upcoming Events Don’t miss the opportunity to meet with us in person to discuss the topics that matter most to you. SEC3 is teaming up with industry experts in NYC to discuss...

May 23, 2017 - Webcast: WannaCry Ransomware: Were You Really Protected or Just L…

When: Tuesday, May 23rd, 2017 | Schedule: 12pm - 1pm EST Who: Paul Caiazzo, CEO and Co-Founder, TruShield Security Solutions Michael Brice, Founder, BW Cyber Services John Lukan, Managing Director, SEC Compliance Consultants, Inc. We...

June 14, 2017 - Compliance Breakfast Briefing

8:30-9:00am - Networking and Continental Breakfast 9:00-10:30am - Program Location: Willkie Farr & Gallagher LLP | 600 Travis Street | Suite 2310 | Houston, TX Barry Barbash from Willkie Farr & Gallagher LLP,...

June 13, 2017 - Compliance Breakfast Briefing

8:30-9:00am - Networking and Continental Breakfast 9:00-10:30am - Program Location: Haynes and Boone, LLP | 2323 Victory Avenue | Suite 700 | Dallas, TX 75219 Validated parking is available in the garage attached...

May 31, 2017 - Chicago

9:00-9:30 a.m - Networking and Continental Breakfast 9:30-11:00 a.m - Program Location: Baker & McKenzie LLP | 300 East Randolph Drive | Suite 5000 | Chicago, IL 60601 Kristin Gonzalez and Jerome Tomas...

May 17, 2017 (NYC WIMF)

This event is by invitation only. Please email to learn more.

May 15, 2017 (NYC Chief Compliance Officer Roundtable)

9:00-9:30am - Networking and Continental Breakfast 9:30-11:00am - Program Location: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 | 22nd Floor Boardroom | Phone:...

Webcast: The Most Insidious Cybersecurity Threat Is Also The Least Understood

When: Tuesday, April 25th | Schedule: 12pm - 1pm EST Who: Paul Caiazzo, CEO and Co-Founder, TruShield Security Solutions Michael Brice, Founder, BW Cyber Services John Lukan, Managing Director, SEC Compliance Consultants, Inc. Ransomware, the...

CCO Liability (Part III): Managing Liability Webinar

In this webinar, panelists discuss indemnifications and insurance as potential remedies to address the direct financial risks to a CCO. Attendees will learn: What terms and conditions should Chief Compliance Officers be...

Webinar: CCO Liability (Part III): Managing Liability: Navigating Indemnities an…

When: Tuesday, February 21, 2017 Schedule: 11:00am ET / 10:00am CT / 9:00am MT / 8:00am PT / 7:00am AT Description of Webinar: The National Society of Compliance Professionals is pleased to host...

Webcast: SEC 2017 Examination Focus Area – Cybersecurity Testing

Penetration Testing & Vulnerability Assessments - Examining the SEC & FINRA Requirements When: Wednesday, January 25th | Schedule: 12pm - 1pm EST Who: Paul Caiazzo, CEO and Co-Founder, TruShield Security Solutions Michael Brice, Founder,...

Chief Compliance Officer Roundtable: Breakfast Briefing

When: October 20, 2016 Where: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 | 22nd Floor Boardroom | Phone: 212.885.5000 Thomas Westle and Janaya...

Practicing Law Institute - Hedge Fund Management 2016

When: September 15, 2016 Where: New York & concurrent webcast | 1177 Avenue of the Americas | New York, NY 10036 Schedule: 9:00 am – 5:00 pm Janaya Moscony, President of SEC3 will...