Cybersecurity

SEC Issues Guidance Update on Cybersecurity

May 29, 2015 | Steve Parker

Last month, the SEC division of Investment Management released Investment Management Guidance in which it discusses a number of measures that investment advisers may wish to consider when addressing cybersecurity risks. This guidance is just the last in a long list of guidance and alerts issued by the SEC and other regulators as to the need for financial firms to improve their policies and procedures dealing with cybersecurity threats.

Among the recommendations made in the current IM are that firms:

• Conduct a periodic assessment of the nature, sensitivity and location of information, what types of cybersecurity threats and vulnerabilities exist, what security controls and processes are currently in place, the impact that would occur in the event of compromise of information, and the effectiveness of the current structure confirms current structure for managing cyber security risks

SEC to Conduct Presence Exams for Never-Before Examined Investment Advisers in 2015

January 20, 2015 | Chadd Reynolds

During the January 7th Practising Law Institute conference on Hedge Fund Compliance and Regulatory Challenges, the Director of the SEC Office of Compliance Inspections and Examinations (“OCIE”), Andrew Bowden, previewed some of the new priorities on which the SEC will focus in 2015. Some of the areas of focus include protecting investors, specifically those in or close to retirement, cyber security, and the use of data analytics to identify potential wrongdoers. One of the other priorities discussed was OCIE’s new initiative to use “presence exams” to examine certain investment advisers that have never been examined. Investment advisers who have been registered with the SEC for three or more years will potentially be selected for a presence exam.

Presence exams are less intensive, shorter exams, taking up about two-thirds the time of a regular SEC examination. These exams tend to be more narrow in scope and focus on specific areas of concern that the SEC may have. In October 2012, SEC staff created presence exams for investment advisers who were required to register with the SEC for the first time because of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”). These newly required SEC registrants under Dodd-Frank included, for example, hedge fund advisers with more than $150 million in assets under management. Bowden stated that the SEC performed close to 400 of these exams and that OCIE’s goal to examine 25% of the investment advisers required to register with the SEC under Dodd-Frank by 2014 was met.
Continue reading ›

Is your firm prepared? October is National Cybersecurity Awareness Month

October 17, 2014 | Bryan Gort

Earlier this year, the SEC announced one of its focus areas for examinations in 2014 would be cybersecurity. The SEC Office of Compliance Inspections and Examinations published a Cybersecurity Initiative Risk Alert in April that provides a sample request for information and documents, which are designed to determine the preparedness of a firm for a cybersecurity threats. Examples of questions asked include:

– Please provide a copy of the Firm’s written business continuity of operations plan that addresses mitigation of the effects of a cybersecurity incident and/or recovery from such an incident if one exists;

– Does the Firm have a Chief Information Security Officer or equivalent position? If so, please identify the person and title. If not, where does principal responsibility for overseeing cybersecurity reside within the firm?;

– Please provide a copy of the Firm’s procedures for verifying the authenticity of email requests seeking to transfer customer funds. If no written procedures exist, please describe the process.