The SEC’s Division of Investment Management — which regulates investment companies and investment advisers — has recently issued additional cybersecurity guidance in the form of a Guidance Update based on its 2014 security sweep examinations. Though the alert is fairly broad and high-level, it provides more detail on what reasonable security measures are and it expressly confirms that mishandling cyber risks can result in violations of the securities laws by investment companies and investment advisers.
The guidance outlined in the announcement doesn’t carry the force of a rule, however, it does put fund managers on alert by giving them pointed suggestions on just how they should manage cybersecurity risk. The next step could be cybersecurity enforcement actions.
The SEC guidance update highlights the importance of the issue and discusses a number of measures that funds and advisers should consider when addressing cybersecurity risks. The guidance stresses these three points:
1. Assess threats, vulnerabilities and defensive measures currently in place by conducting periodic assessment of where and how sensitive information is stored. Companies also should assess the effectiveness of their current security program as well as the affect a breach would have on the organization.
2. Create a strategy to prevent, detect and respond to cybersecurity threats. This includes controlling access, use of encryption, protecting against data loss, using and testing a backup solution, and implementing a incident response plan.
3. Implement that strategy through written policies and procedures, internal personnel training and external client education. Firms may also wish to educate employees, investors and clients about how to reduce their exposure to cyber security threats concerning their accounts via security awareness training and phishing exercises.
The SEC also recognizes that is it not possible for a fund or adviser to anticipate and prevent every cyber attack. This is why it is ESSENTIAL that funds be able to detect a breach and respond in a timely manner. Studies have shown that the average network breach lasts over 200 days before it is detected.
The Division also encourages firms to broaden the ways that they gather information on cyber threats and suggests that they might do so by engaging “third-party contractors specializing in cybersecurity and technical standards.” Many firms simply will not be able to handle all of this internally. Managers are likely to need help from security and cybersecurity experts as well as from legal and compliance experts.
Because funds and advisers are varied in their operations, they should tailor their compliance programs based on the nature and scope of their businesses.
Both the SEC and Financial Industry Regulatory Authority (FINRA) have made cybersecurity risk management an examination priority for the past two years. ACE IT Solutions can help you implement the SEC’s suggestions and put into place a cybersecurity program that will help prevent and detect security breaches.
ACE IT Solutions’ Security Services, offered in partnership with IBM, provide a simple and cost-effective way to limit potential threats 24×7. Through our partnership with IBM, ACE IT Solutions leverages one of the world’s largest collections of security information to combine advanced analytic capabilities into cloud-based security services that can be mixed and matched according to each business’ specific needs.
Read the SEC update here: http://www.sec.gov/investment/im-guidance-2015-02.pdf