On April 28, 2015, the SEC Division of Investment Management issued guidance with regard to cybersecurity issues for both registered investment companies and registered investment advisers. (IM Guidance Update 2015-2, “Guidance“). The Guidance identifies and discusses various measures that a fund or adviser may wish to consider when addressing privacy and data risks. The SEC notes that the suggested measures are not intended to be comprehensive and alternative measures may be more appropriate, depending on the facts and circumstances. Nonetheless, the Guidance provides an excellent overview and potential guide map to the development of cybersecurity policies and procedures that are compliant from an SEC point of view.
For example, the Guidance provides that:
- An adviser should conduct periodic assessments regarding all aspects of the information collected, processed, and/or stored by the firm and the technology systems it uses.
- Periodic assessment should also be conducted with regard to security controls and processes, internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems, and the governance structure for the management of cybersecurity risk. With regard to governance, in other words, the SEC is really asking “who is in charge and accountable?”
- The firm should create a strategy that deals with the cornerstones of cybersecurity policy: prevent, detect, and respond.
- The strategy might include access control via management of user credentials, authentication and authorization methods, data encryption, and controlling of loss or exfiltration via restrictions on use of removable storage media and software monitoring of risk events. It also suggests data backup and incident response procedures.
The Guidance notes that these suggested measures are considered in the context of a fund or adviser’s duty to comply with obligations under the federal securities laws.
The Guidance may be found here: http://www.sec.gov/investment/im-guidance-2015-02.pdf
Please let us know if you require any further assistance with regard to the development of your cybersecurity policies and procedures.
Steve Wilkes to Testify at DOL ERISA Advisory Committee
Steve Wilkes, of our San Francisco office, has been invited to testify on May 29, 2015 to the Department of Labor’s ERISA Advisory Council on cybersecurity issues concerning the intersection of “Privacy/Cybersecurity” and “ERISA”. We will continue to keep you posted on the details of this event.