On February 3, 2015, the SEC’s Office of Compliance Inspections and Examinations issued a Risk Alert summarizing its observations from the examinations conducted under its 2014 Cybersecurity Examination Initiative. The Risk Alert can be found here.
Although the alert does not provide specific guidance, it highlights key areas of concern. We anticipate further cybersecurity guidance from the SEC in the future. In the meantime, fund managers may wish to consider the following items that were discussed in the alert:
- Has the firm adopted written information security policies?
- Does the firm’s business continuity plan address the impact of a cyber-attack and/or contain a cybersecurity response plan?
- Does the firm conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities and potential business consequences?
- Has the firm implemented policies to address client losses resulting from cyber incidents?
- To what extent does the firm use encryption?
- Does the firm inventory, catalog or map its technology resources, including physical devices?
- Does the firm maintain insurance that covers cybersecurity incidents?
- Has the firm designated a Chief Information Security Officer? Alternatively, has it contracted with a third-party that is responsible for cybersecurity oversight?
- Has the firm included cybersecurity requirements in its contracts with third-party vendors?
- Does the firm conduct cybersecurity risk assessments of third-party vendors with access to its network?
The SEC noted that most examined firms experienced a cyber-related incident, primarily related to malware or fraudulent e-mails. Additionally, some firms suffered losses because their employees failed to follow their identity authentication procedures. As a result, firms should strongly consider conducting periodic employee training on detecting and responding to cybersecurity red flags.