On April 28, 2015, the SEC issued a Guidance Update as a follow-up to the cybersecurity risk alert released on February 3, 2015. It is evident that the SEC considers cybersecurity a priority and an area of high-risk for registered investment advisers and registered investment companies.
Safeguarding a firm’s confidential, proprietary and sensitive information is critical, as is performing due diligence on third parties that have access to a firm’s systems and information. For these reasons, the SEC recommends the following general guidelines to assist firms in evaluating cybersecurity risk:
- conduct a periodic assessment of the nature, sensitivity and location of information that the firm collects, processes and/or stores and the technology systems used
- identify internal and external cybersecurity threats to, and vulnerabilities of, the firm’s information and technology systems
- evaluate existing security controls and processes currently in place
- determine the impact should the information or technology systems become compromised
- verify the effectiveness of the governance structure for management of cybersecurity risk
- create a strategy or program designed to prevent, detect and respond to cybersecurity threats
Recommended strategies to protect a firm’s information include:
1) control access to various systems and data via user authentication and strong passwords, firewalls/perimeter defense, and tiered access to sensitive information
2) protect against loss or exfiltration of sensitive data by restricting use of removable storage media, deploying software that monitors systems for unauthorized intrusions and encryption
3) data back-up and retrieval
4) routine testing of systems
5) implementing written policies and procedures
The SEC reminds funds and advisers of their compliance obligations under federal securities laws, and to take these responsibilities into account when assessing their ability to prevent, detect and respond to cyber-attacks.