SEC Offers Cybersecurity Guidance with Specific Recommendations
The SEC’s Division of Investment Management doesn’t go so far as to say "do this" or "do that" in its latest cybersecurity warning. But it comes a lot closer than it did before.
The Division on April 28 issued a cybersecurity guidance update, suggesting specific "measures" that advisers and funds "may wish to consider" in addressing cybersecurity risk. The suggested measures are fairly detailed. A February risk alert from the agency’s Office of Compliance Inspections and Examinations provided results of a cybersecurity survey of advisers it performed last year, but offered few recommendations for action.
The new guidance update "is more specific because the agency’s earlier risk alert was basically ‘survey says,’" said Sutherland partner Brian Rubin. But similar recommendations are available from other quarters. For instance, he said, when FINRA provided its cybersecurity report in February, it provided specific guidance.
K&L Gates partner Sean Mahoney noted that the alert is the first time the SEC, which he said has referred to cybersecurity measures before, has explicitly suggested them in one document. "The tone of this alert is that, ‘We think it would be a good idea for you to do x, y and z,’ whereas up to this point the SEC has been implicit about its expectations with regard to cybersecurity."
The guidance alert also means that "every adviser should now expect that every examiner will ask how they are addressing cybersecurity," he said.
The issue has been an SEC priority since April 2014, when OCIE issued a risk alert outlining the launch of its "cybersecurity initiative," following a Commission cybersecurity roundtable held the month before. "Cybersecurity threats know no boundaries," said SEC chair Mary Jo White. "Through our engagement with other government agencies as well as with the industry and educating the investing public, we can all work together to reduce the risk of cyber attacks."
"Cyber attacks on a wide range of financial services firms highlight the need for firms to review their cybersecurity measures," the new guidance update says. Those SEC staff concerns were also influenced by discussions the staff had with fund boards and senior management advisers.
One size does not fit all
Advisers and funds will be glad to see that the SEC staff "recognizes that it is not possible for a fund or adviser to anticipate and prevent every cyber attack." Nonetheless, it uses the guidance alert to state that "appropriate planning … and a rapid response capability may … assist funds and advisers in mitigating the impact of any such attack and any related effects on fund advisers and advisory clients, as well as complying with the federal securities laws."
Mahoney interprets this to mean that the SEC is leaning toward a risk-based approach to cybersecurity, rather than a checklist-based approach requiring advisers to take specific actions. Under a risk-based approach, risks are assessed, controls and systems are put in place to mitigate risks, activities are then monitored, events are responded to, then corrections to controls and systems are made if needed, with the process continuously repeated. It’s all part of business continuity, he said, something the SEC has also taken a strong interest in for some time.
The guidance suggests three categories of action, with each broken down into specific actions.
The first category of action suggested by the SEC staff is to conduct periodic assessments in five areas:
The nature, sensitivity and location of information the firm collects, processes and/or stores, and the technology systems it uses;
Internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
Security controls and processes currently in place;
The impact should the information or technology systems become compromised; and
The effectiveness of the governance structure for the management of cybersecurity risk.
"An effective assessment would also assist in identifying potential cybersecurity threats and vulnerabilities so as to better prioritize and mitigate risk," the guidance alert said.
The right strategy
The second action category suggested was to "create a strategy that is designed to prevent, detect and respond to cybersecurity threats." The strategy would address the following five areas:
Controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation, and system hardening;
Protecting against the loss of exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events;
Data backup and retrieval; and
The development of an incident response plan.
"Routine testing of strategies could also enhance the effectiveness of any strategy," the staff said.
Policies and procedures
The third action category is implementing the strategy. This should be done through written policies and procedures, as well as training, "that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures," the guidance update said. It added that firms may also wish to educate investors and clients about how to reduce their exposure to cybersecurity threats concerning their accounts.
Tailor your programs to fit your operations
The guidance alert recognizes that funds and advisers are "varied in their operations." For that reason, it said, "they should tailor their compliance programs based on the nature and scope of their businesses."
The measures suggested in the guidance alert "are not intended to be comprehensive," the alert says. "Other measures may be better suited depending on the operations of a particular fund or adviser. Each fund or adviser should determine whether these or other measures need to be considered in connection with addressing cybersecurity attacks."
Tying cybersecurity risk to compliance risk
Cybersecurity risks may also have an effect on overall securities law compliance. Funds and advisers should identify their respective compliance obligations under federal securities laws and take into account these obligations when assessing their ability to prevent, detect and respond to cyber attacks, the staff said. Doing so will allow them to mitigate exposure to any compliance risk associated with cyber threats through compliance policies and procedures reasonably designed to prevent violations of securities laws.
"For example," the guidance alert says, "the compliance program of a fund or an adviser could address cybersecurity risk as it relates to identity theft and data protection, fraud and business continuity, as well as other disruptions in service that could affect, for instance, a fund’s ability to process shareholder transactions." To this end, the alert suggests that funds and advisers might want to "consider reviewing their operations and compliance programs and assess whether they have measures in place that are designed to mitigate their exposure to cybersecurity risk."
Vendors and networks
Vendors are also a concern, with the guidance noting that because funds and advisers rely on a number of service providers, they "may also wish to consider assessing whether protective cybersecurity measures are in place at relevant service providers." But it does not specify which cybersecurity measures might be relevant to each type of service provider.
Funds and advisers affiliated with other entities that share common networks should consider whether it may be appropriate to conduct an assessment of the entire corporate network, the staff said.
Finally, the guidance update suggests that funds and advisers consider implementing a mechanism "to monitor for ongoing and new cyber threats." They can do that, it said, by gathering information from outside resources, such as vendors, third-party contractors specializing in cybersecurity and technical standards, and topic-specific publications and conferences.