Cybersecurity Guidance Update for Funds & Advisers
Investment Management Update
Date: May 05, 2015
On April 27, 2015, the SEC’s Division of Investment Management (Division) published IM Guidance Update 2015-02 (Guidance). IM Guidance Updates do not carry the authority of a rule or regulation; they summarize the Division’s staff’s views on emerging industry issues. In this Guidance, the Division suggested broad cybersecurity measures to protect confidential and sensitive information related to the operations of registered investment companies and registered investment advisers. The Division acknowledged that it is not possible for a fund or adviser to anticipate and prevent every cyber-attack, but noted that comprehensive measures tailored to a firm’s individual circumstances will mitigate the impact of such attacks and related effects on fund investors and advisory clients. The Division divided its suggested measures into three categories: assessments, strategies, and written policies and training.
The Division first noted the importance of routine, periodic assessments of all circumstances related to a firm’s electronic information, noting that a primary goal of such assessments should be to prioritize and mitigate risk. These internal assessments can be used to develop and refine a firm’s cybersecurity strategy. The Guidance recommended the following areas for assessment:
- The nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses
- The internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems
- The security controls and processes currently in place
- The impact should the information or technology systems become compromised
- The effectiveness of the governance structure for the management of cybersecurity risk
The Guidance later indicated that assessments should not necessarily be limited to internal evaluations. After noting that their operations rely on a number of service providers, the Division stated that funds and advisers also may wish to consider assessing whether protective cybersecurity measures are in place at relevant service providers.
The Guidance recommends that funds and advisers create strategies designed to prevent, detect and respond to cybersecurity threats. Such strategies could include:
- Controlling access to various systems and data via:
- Management of user credentials
- Authentication and authorization methods
- Firewalls and/or perimeter defenses
- Tiered access to sensitive information and network resources
- Network segregation
- Removal of all non-essential software programs and services, and unnecessary user names and logins
- Continuous software updates
- Encrypting data
- Protecting against the loss or unauthorized exportation of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or unauthorized exportation of sensitive data, or other unusual events
- Implementing data backup and retrieval procedures
- Developing an incident response plan
Written Policies & Training
The Division staff recommends implementing cybersecurity strategies through written policies and procedures and training that provide guidance to officers and employees concerning:
- Applicable threats
- Measures designed to prevent, detect and respond to such threats
- Measures that monitor compliance with cybersecurity policies and procedures
The Guidance further states the staff’s view that funds and advisers should identify their respective compliance obligations under the federal securities laws and consider those obligations when assessing their ability to prevent, detect and respond to cyber-attacks. For example, a compliance program may address cyber risk as it relates to a firm’s obligations under the federal securities laws to detect and prevent identity theft, protect personal non-public information and process shareholder transactions.
FOR MORE INFORMATION
For more information, please contact:
John V. Domaschko
Michael V. Wible
This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.
This document may be considered attorney advertising in some jurisdictions.
© 2015 THOMPSON HINE LLP. ALL RIGHTS RESERVED.