Thu, May 7, 2015
On April 28, 2015, the SEC issued a Guidance Update as a follow-up to the cybersecurity risk alert released on February 3, 2015. It is evident that the SEC considers cybersecurity a priority and an area of high-risk for registered investment advisers and registered investment companies.
Safeguarding a firm’s confidential, proprietary and sensitive information is critical, as is performing due diligence on third parties that have access to a firm’s systems and information. For these reasons, the SEC recommends the following general guidelines to assist firms in evaluating cybersecurity risk:
1) control access to various systems and data via user authentication and strong passwords, firewalls/perimeter defense, and tiered access to sensitive information
2) protect against loss or exfiltration of sensitive data by restricting use of removable storage media, deploying software that monitors systems for unauthorized intrusions and encryption
3) data back-up and retrieval
4) routine testing of systems
5) implementing written policies and procedures
The SEC reminds funds and advisers of their compliance obligations under federal securities laws, and to take these responsibilities into account when assessing their ability to prevent, detect and respond to cyber-attacks.
End-to-end governance, advisory and monitorship solutions to detect, mitigate, drive efficiencies and remediate operational, legal, compliance and regulatory risk.