GPs can expect greater scrutiny from the Securities and Exchange Commission (SEC) on their cybersecurity processes, said Jane Jarcho, the national associate director for the SEC’s investment adviser exam program, who was speaking at the agency’s compliance outreach program last month.
“We will be looking to see what policies are in place to prevent, detect and respond to cyber-attacks,” said Jarcho. “”We will be looking at policies on IT training, vendor access and vendor due diligence, and what information you have on any vendors.”
The SEC wants to see regular assessments from fund advisors on their cybersecurity risk and also check that advisors have reported previous cyber-attacks to regulators, Jarcho added.
Cyber-security deficiencies found in examinations won’t automatically lead to enforcement action, Jarcho revealed.
“The industry always thinks our exams are done with enforcement in mind and that is just absolutely not true. There are a number of areas where our job is collecting information in order to inform policy at the SEC.”
Still, Jarcho stressed that GPs need to be mindful that deficiency letters and examiner comments need to be considered and acted upon.
The SEC will look into past deficiencies left ignored by advisors, said at the outreach program Julie Riewe, co-chief of the SEC’s enforcement division responsible for supervising private fund managers.