Enter to open, tab to navigate, enter to select
SEC's Division of Investment Management Issues Cybersecurity Guidance
Practical Law Legal Update 8-610-9146 (Approx. 4 pages)
SEC's Division of Investment Management Issues Cybersecurity Guidance
by Practical Law Corporate & Securities
| Published on 29 Apr 2015 • USA (National/Federal) |
The SEC's Division of Investment Management issued guidance that highlights the importance of cybersecurity to registered investment companies and registered investment advisers, and sets out measures that they may wish to consider in addressing cybersecurity risk.
The SEC's Division of Investment Management has issued a guidance update that highlights the importance of cybersecurity to registered investment companies (Funds) and registered investment advisers (Advisers). The guidance sets out the following measures that Funds and Advisers may wish to consider in addressing cybersecurity risk, to the extent they are relevant:
- Conduct a periodic assessment to identify potential cybersecurity threats and vulnerabilities so that Funds and Advisers can better prioritize and minimize risk. The assessment could examine:
- the nature, sensitivity and location of information that the firm collects, processes or stores, and the technology systems it uses;
- internal and external cybersecurity threats to, and vulnerabilities of, the firm's information and technology systems;
- security controls and processes currently in place;
- the impact should the information or technology systems become compromised; and
- the effectiveness of the governance structure for the management of cybersecurity risk.
Funds and advisers that are affiliated with other entities that share common networks should consider whether it may be appropriate to conduct an assessment of the entire corporate network. - Create a strategy that is designed to prevent, detect and respond to cybersecurity threats. The guidance suggests that routine testing of a strategy could enhance its effectiveness. The strategy could include:
- controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls or perimeter defenses, tiered access to sensitive information and network resources, network segregation and system hardening;
- data encryption;
- protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events;
- monitoring for ongoing and new cyber threats by gathering information from outside resources, such as vendors, third-party contractors specializing in cybersecurity and technical standards, and topic-specific publications and conferences, as well as participating in the Financial Services - Information Sharing and Analysis Center (FS-ISAC);
- data backup and retrieval; and
- developing an incident response plan.
- Implement the strategy through written policies and procedures, as well as training, that:
- provide guidance to officers and employees on applicable threats;
- provide measures to prevent, detect and respond to the threats; and
- monitor compliance with cybersecurity policies and procedures.
The guidance suggests that firms may also wish to educate investors and clients on how to reduce their exposure to cybersecurity threats concerning their accounts.
The guidance states that the suggested measures are not intended to be comprehensive and that Funds and Advisers may find that other measures are better suited to their operations.
The guidance further states that:
- When assessing their ability to prevent, detect and respond to cyber attacks, Funds and Advisers should identify their respective compliance obligations under the federal securities laws and take these obligations into account.
- Funds and Advisers could mitigate exposure to compliance risk associated with cyber threats by having compliance policies and procedures that are reasonably designed to prevent violations of the federal securities laws. For example, a compliance program could address:
- cybersecurity risk as it relates to identity theft and data protection, fraud, and business continuity; and
- other disruptions in service that could affect, for instance, the ability to process shareholder transactions.
- Because Funds and Advisers rely on service providers in carrying out their operations, they may wish consider assessing whether protective cybersecurity measures are in place at relevant service providers.