The SEC’s Division of Investment Management released guidance last week that addresses issues of cybersecurity for funds and advisers. The guidance cites attacks against financial services firms, discussions in the Division’s senior level engagement program, the results from OCIE’s recently completed cybersecurity sweep, and the Commission’s Cybersecurity Roundtable as evidence that companies need to review their cybersecurity measures. While the staff “recognizes that is it not possible for a fund or adviser to anticipate and prevent every cyber attack,” it argues that “[a]ppropriate planning to address cybersecurity and a rapid response capability may, nevertheless, assist funds and advisers in mitigating the impact of any such attacks and any related effects on fund investors and advisory clients, as well as complying with the federal securities laws.”
The guidance suggests that funds and adviser may want to consider conducting periodic assessments of:
(1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses;
(2) internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
(3) security controls and processes currently in place;
(4) the impact should the information or technology systems become compromised; and
(5) the effectiveness of the governance structure for the management of cybersecurity risk.
The Division also stressed the importance of having a plan in place to “prevent, detect and respond to cybersecurity threats.” According to the staff, such a plan should focus on controlling access to systems, encrypting data, restricting and monitoring the movement of data in and out of systems, and backing up data.
The guidance suggested the need for written policies and procedures, as well as training to address issues of cybersecurity. The guidance also signaled what may be the staff’s intention to pursue programs that do not comply with the Commission’s guidance through 38a-1 actions. According to the staff, “funds and advisers should identify their respective compliance obligations under the federal securities laws and take into account these obligations when assessing their ability to prevent, detect and respond to cyber attacks.” The guidance specifically highlighted policies related to the Red Flag rules, Reg S-P, and business continuity. The staff also envisioned a scenario in which a fund under cyber attack may be unable to meet a redemption request within the required 7-day time period, constituting a violation of securities laws.
The guidance recommends that funds and advisers may want to consider the cybersecurity readiness of relevant service providers. The Division suggests that such a review may contemplate the level of data access granted to service providers, as well as a review of contracts to determine whether cyber risks and associated responsibilities are contemplated in the documents. Lastly, the guidance suggests that funds and advisers may want to consider cybersecurity insurance.
A recent webinar hosted by K&L Gates discussed cybersecurity issues, including the Division’s guidance (beginning at the 3:50 mark).