The Securities and Exchange Commission ("SEC") is becoming increasingly concerned with cybersecurity risks to which investment advisers may be exposed. Consequently, it has recently issued guidance ("Guidance") as to actions which advisers should take to protect themselves and their clients from internal and external threats.
The Guidance discusses a three-step process in addressing cybersecurity risk:
(1) Assessment of:
-
The nature, sensitivity, and location of information
-
Internal and external threats and vulnerabilities
-
Security controls and processes currently in place
-
The impact to the adviser and its clients should information or the adviser's technology be compromised
-
The effectiveness of the governance structure for management of cybersecurity risks
(2) Develop a strategy to prevent, detect and respond to cybersecurity threats, including:
-
Controlling access to systems and data
-
Data encryption
-
Restricting use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions
-
Data back-up and retrieval
-
Development of an incident response plan
(3) Implementation through written policies and procedures, training of personnel and monitoring compliance with such policies and procedures.
In addition to monitoring their own policies and procedures relative to cybersecurity, the Guidance also suggest that advisers consider whether sufficient cybersecurity protection is in place at their service providers.
In light of the SEC's concern with cybersecurity risks set forth in the Guidance and elsewhere, registered investment advisers should review, and where necessary, improve their relevant policies and procedures.
