The Division of Investment Management at the US Securities and Exchange Commission (SEC) released new cybersecurity guidance for registered investment advisers and registered investment companies, including specific suggestions on how to implement and manage a cybersecurity program.
The brief six-page update notes that advisers are using technology more than ever, which is escalating the threat of cyber-attacks. Following the SEC’s first round of its cybersecurity sweep, which wrapped in February, the agency gave registered advisers mixed reviews on their cybersecurity readiness.
Tuesday’s guidance update urged managers to conduct a periodic assessment of the firm’s technology systems; internal and external cybersecurity threats; and security controls and processes. Firms should ensure that access to systems and information is protected via firewalls, tiered access and data encryption, and that they have software that monitors systems for unauthorized intrusions.
The cybersecurity strategy should include written policies and procedures and training for staff on ways to prevent, detect and respond to threats. Advisers may want to consider reviewing their operations and compliance programs accordingly, the guidance noted.
“For example, the compliance program could address cybersecurity risk as it relates to identity theft and data protection, fraud, and business continuity,” it said.
Phase one of the cybersecurity sweep found that the vast majority of registered investment advisers now have written information security policies in place, but significantly less conduct periodic risk assessments on third-party vendors with access to their firms’ networks. The SEC made note of this issue in its update.
“Funds and advisers may wish to consider reviewing their contracts with their service providers to determine whether they sufficiently address technology issues and related responsibilities in the case of a cyber-attack,” the guidance noted.
Managers would be wise to make note of the suggestions included in the update as a precautionary measure, noted Todd Cipperman of Cipperman Compliance Services.
“If you have a data breach and you have not implemented the measures described in the guidance, the SEC has warned you that it may take regulatory action because your cybersecurity internal controls and policies and procedures were not sufficient,” he said in an email.
The SEC is expected to launch phase two of its cybersecurity sweep this summer, or by October at the latest. The exams are expected to target the same amount of registrants as phase one, which included 57 registered broker-dealers and 49 registered investment advisers, seven of which were private fund managers. As with phase one, the commission will publicly release a document listing what questions it will focus on ahead of the onsite exams.