The SEC’s Division of Investment Management recently released new guidance to registered investment advisers and investment companies regarding cybersecurity. The SEC has previously identified cybersecurity as an important issue and continues to reiterate advisers’ need for a suitable plan with respect to cybersecurity.
The staff completed a sweep of over 100 firms focusing on preparedness concerning cybersecurity in 2014 and is now planning a second phase of their cybersecurity initiative this summer. Additionally, David Glockner, director of the SEC’s Chicago Regional Office, said at the Practising Law Institute’s annual SEC Speaks conference in March that “Cyber security… is an area where we have not brought a significant number of cases yet, but is high on our radar screen”.
In their newly-released Guidance, the SEC highlighted a number of specific practices and measures that funds and advisers should consider in addressing their cybersecurity risk, including the following:
• Conduct a periodic assessment of:
- the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses;
- internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
- security controls and processes currently in place;
- the impact should the information or technology systems become compromised; and
- the effectiveness of the governance structure for the management of cybersecurity risk.
An effective assessment would assist in identifying potential cybersecurity threats and vulnerabilities so as to better prioritize and mitigate risk.
• Have a strategy designed to prevent, detect and respond to cybersecurity threats. Such a strategy could include:
- controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation, and system hardening to prevent cyber threats from insiders;
- data encryption;
- protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events;
- data backup and retrieval; and
- the development of an incident response plan.
Routine testing of strategies could also enhance the effectiveness of any strategy.
• Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures. Firms may also wish to educate investors and clients about how to reduce their exposure to cyber security threats concerning their accounts.
The guidance also recommends that funds and advisers review both their internal operations and compliance programs to ensure they have in place adequate policies and procedures to mitigate exposure to any cybersecurity risks. For example, a fund or an adviser could address cybersecurity risk as it relates to:
- identity theft and data protection (e.g., Regulations S-P and S-ID)
- business continuity and other disruptions that could affect, for instance, a fund’s ability to process shareholder transactions
Additionally, where funds and advisers rely on service providers in carrying on their operations, the SEC suggests assessing such service providers for adequate cybersecurity measures. For example, service providers may be given access to a firm or fund’s technology systems that may inadvertently provide unauthorized access to data. Funds and advisers should also consider reviewing their contracts with their service providers to determine whether they sufficiently address technology issues and related responsibilities in the case of a cyber attack. Funds and advisers may also wish to consider assessing whether any insurance coverage related to cybersecurity risk is necessary or appropriate.
Because of the rapidly changing nature of cyber threats and the increased dependence on technology in the financial services sector, the SEC stated that they will continue to focus on cybersecurity and monitor events in this area.
The SEC has up to this point been raising awareness of cybersecurity issues in the industry. OCIE released a Risk Alert in April 2014 that set forth a detailed set of questions that advisers and broker-dealers were expected to be able to respond to in an SEC examination. The SEC then followed up with sweep exams of over 100 broker-dealers and investment advisers in 2014, and then published their summary findings in a February 2015 Cybersecurity Risk Alert.
The SEC also recently announced plans to conduct a second phase of cybersecurity exams this summer, which will include on-site visits. With the publication of the new Guidance, we expect that the SEC’s exams will now move from education to testing what firms have done regarding cybersecurity, and the extent to which their policies and procedures are implemented as written.
We think in future examinations, the SEC will expect firms to have addressed the specific items in the Guidance, and there may even be a presumption by some examiners that the Guidance be followed. Accordingly, advisers and funds should be well prepared to demonstrate their assessment, monitoring and testing efforts and the policies and procedures they have adopted as a result.
Funds and advisers, at a minimum, should take action in the following areas (and where no further action is taken, determine – and even be prepared to demonstrate — that such items are not relevant to them):
- Conduct a periodic risk assessment of their data, systems, and vendors, and identify whether there are any risks that should be mitigated.
- Have written information security policy and procedures (WISP) that outline the safeguards in place to ensure confidential data is protected (e.g., network firewalls; strong passwords and other user authentications; controlling access to more sensitive data; disabling USB ports).
- Assess whether there is effective governance and oversight of cybersecurity risks.
- Conduct routine testing and monitoring of systems and controls, and ensuring they are updated for the latest security patches.
- Have an incident response plan (and team) to have a rapid response capability in the event of a cybersecurity breach or threat.
- Have written policies and procedures. Consider specific practices or areas that present cybersecurity risks such as BYOD; cloud services; BCP/disaster recovery plans; and identity theft or other fraud.
- Do due diligence on service providers especially if you are dependent on them to conduct activities for the fund or the adviser.
- Assess the need for cyber liability insurance.
Because funds and advisers are varied in their operations, the SEC expects funds and advisers to tailor their compliance programs based on the nature and scope of their businesses. The Guidance states that “funds and advisers will be better prepared if they consider the measures discussed herein based on their particular circumstances when planning to address cybersecurity and a rapid response capability.”
In the Guidance, the SEC stated it recognizes that is it not possible for a fund or adviser to anticipate and prevent every cyber attack. But we believe that the SEC will expect funds and advisers to have a plan that addresses cybersecurity risks, and in the event of an incident to have controls in place to mitigate the risks. We believe that a failure by an adviser or a fund to have sufficiently addressed cybersecurity risks consistent with the Guidance will lead to SEC deficiency findings, even in the absence of a cyber attack or other incident.
SEC3 can assist your firm in creating, implementing and maintaining your cybersecurity policies and procedures. For further information, please contact your SEC3 representative or contact us at firstname.lastname@example.org.