Last month, the SEC division of Investment Management released Investment Management Guidance in which it discusses a number of measures that investment advisers may wish to consider when addressing cybersecurity risks. This guidance is just the last in a long list of guidance and alerts issued by the SEC and other regulators as to the need for financial firms to improve their policies and procedures dealing with cybersecurity threats.
Among the recommendations made in the current IM are that firms:
• Conduct a periodic assessment of the nature, sensitivity and location of information, what types of cybersecurity threats and vulnerabilities exist, what security controls and processes are currently in place, the impact that would occur in the event of compromise of information, and the effectiveness of the current structure confirms current structure for managing cyber security risks
• Create a strategy designed to prevent and detect threats, which would include controlling access to systems (including controlled use of credentials and authentication such as passwords and log-ins), implementing data encryption policies, restricting the use of removal storage media, providing for data back-up and retrieval, and developing an incident response plan.
• Implement written policies and procedures, including training, that provides guidance to employees and officers regarding cyber threats and the measures implemented to prevent, detect and respond to such threats.
The IM also mentions that firms may wish to correlate and coordinate their cybersecurity policies with their identity theft, data protection, fraud and business continuity plans, and assure that third party vendors with whom the advisers have dealings have measures in place to protect secure information.
While the staff recognizes that it is not possible for an investment adviser to anticipate or prevent every cyber-attack, its continued focus on this issue signals that it considers the failure to address cybersecurity through formal development of plans, policies and training, would be considered not only a violation of best practices, but also a violation of the applicable laws, including the Investment Advisers Act and the securities laws.
Parker MacIntyre provides legal and compliance services to investment advisers, broker dealers, registered representatives, hedge funds, and issuers of securities, among others. Our regulatory practice group assists financial service providers with complex issues that arise in the course of their business, including complying with federal and state laws and rules. Please visit our website for more information.