The Division of Investment Management (IM) of the Securities & Exchange Commission (SEC) has weighed in on cyber security of registered investment companies (“funds”) and registered investment advisers (“advisers”) as an important issue because both funds and advisers increasingly use technology to conduct their business activities, and need to protect confidential and sensitive information related to these activities from third parties. That information includes information concerning fund investors and advisory clients.
The IM recommends a number of measures that funds and advisers may wish to consider in addressing cybersecurity risk, including:
Conduct a periodic assessment of:
- the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses;
- internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
- security controls and processes currently in place; and
- the impact should the information or technology systems become compromised; and the effectiveness of the governance structure for the management of cybersecurity risk.
- Create a strategy that is designed to prevent, detect and respond to cybersecurity threats, such a strategy could include:
- controlling access to:
§ various systems and data via management of user credentials;
§ authentication and authorization methods;
§ firewalls and/or perimeter defenses;
§ sensitive information and network resources;
§ network segregation;
§ system hardening; and
§ data encryption.
- protecting against the loss or exfiltration of sensitive data by:
- restricting the use of removable storage media; and
- deploying software that monitors technology systems for:
§ unauthorized intrusions;
§ loss or exfiltration of sensitive data; or
§ other unusual events.
- data backup and retrieval; and
- the development of an incident response plan
- routine testing of strategies could also enhance the effectiveness of any strategy.
· Implement the strategy through:
- written policies and procedures; and
- training that:
§ provides guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats; and
§ monitors compliance with cybersecurity policies and procedures.