The SEC’s Division of Investment Management (IM) issued a guidance update this week on cybersecurity for funds and advisers. The guidance outlines certain protocols funds and advisers should undertake in order to protect their firms and clients.
In the update, IM staff state that funds and advisers should develop processes and procedures that are specific to business operations and customized to fit the types of cybersecurity threats a firm may face in light of its business model. The seriousness of cyber-threats in the financial industry mandates a comprehensive and technically sound program – a boiler-plate process creates risk and vulnerabilities.
Key elements of the new Guidance are as follows:
- Firms should conduct regular/periodic risk assessments of cyber-threats that include firm and client impact in the event of a data breach.
- Internal controls should focus on data access, data encryption, and protecting against data loss via employee restrictions such as limits or prohibitions on the use of removable storage devices (i.e., thumb drives).
- Written policies and procedures should reflect the steps the firm has taken to protect against cyber-attacks and include employee training.
The SEC recognized in the update that most funds and advisory firms already address cybersecurity issues to a degree through Identity Theft Prevention Policies, Data Protection Plans and Business Continuity Plans. However, this may not be enough. Policies must be implemented that truly mitigate a firm’s exposure to specific cybersecurity risks as identified by the firm during its risk assessment. In addition, any due diligence on third party service providers should include a review of the cybersecurity risks presented by the service provider’s use or maintenance of client or firm data.