CYBER UPDATE : Registered Investment Advisers and Broker-Dealers SEC says It’s Your Turn to Pay Attention to Cyber Security

The Division of Investment Management (IM) of the Securities & Exchange Commission (SEC) has weighed in on cyber security of registered investment companies (“funds”) and registered investment advisers (“advisers”) as an important issue because both funds and advisers increasingly use technology to conduct their business activities, and need to protect confidential and sensitive information related to these activities from third parties. That information includes information concerning fund investors and advisory clients. 

The IM recommends a number of measures that funds and advisers may wish to consider in addressing cybersecurity risk, including:

Conduct a periodic assessment of:
- the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses;
- internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
- security controls and processes currently in place; and
- the impact should the information or technology systems become compromised; and the effectiveness of the governance structure for the management of cybersecurity risk.
- Create a strategy that is designed to prevent, detect and respond to cybersecurity threats, such a strategy could include:

- controlling access to:
    § various systems and data via management of user credentials;
    § authentication and authorization methods;
    § firewalls and/or perimeter defenses;
     § sensitive information and network resources;
    § network segregation;
    § system hardening; and
    § data encryption.
- protecting against the loss or exfiltration of sensitive data by:
- restricting the use of removable storage media; and
- deploying software that monitors technology systems for:
    § unauthorized intrusions;
    § loss or exfiltration of sensitive data; or
    § other unusual events.
- data backup and retrieval; and
- the development of an incident response plan
- routine testing of strategies could also enhance the effectiveness of any strategy.
    · Implement the strategy through:
- written policies and procedures; and
- training that:
    § provides guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats; and
    § monitors compliance with cybersecurity policies and procedures.

Rob Kleeger

Digital4nx Group, Ltd., 8 South Main Street - Unit 70, Marlboro Township, NJ, 07746, United States

Rob Kleeger is the Founder and Managing Director of Digital4nx Group, a boutique firm which offers regional digital forensics services for plaintiffs and defendants in various civil and criminal legal matters. Digital4nx Group provides Digital Forensic Investigations, Electronic Discovery Consulting and Advisory Service, Incident Response to Data Breaches and Cyber Security services.

Real Time Analytics