SEC Guidance, While Noting Potential Compliance Risks, Suggests Cybersecurity Framework for Investment Firms

The SEC's Division of Investment Management (the Division) recently issued cybersecurity guidance¹ for registered investment companies (funds) and registered investment advisers (advisers). While couched as a series of suggested best practices in cybersecurity, the guidance also indicates that the Division believes insufficient cybersecurity planning may expose funds and advisers to compliance risks under existing SEC rules and federal securities laws. The Division notes that a "wide range of financial services firms" have suffered cyber attacks and that, accordingly, there is a "need" for firms to review their cybersecurity strategy. Likewise, the Division notes steps the Commission has already taken to address this risk, including through the Office of Compliance Inspections and Examinations (OCIE) review of adviser cybersecurity practices² and the SEC's 2014 Cybersecurity Roundtable.³ The Division states it will continue to focus on and monitor developments in cybersecurity. While non-binding, the guidance should be taken seriously as a preliminary framework of cybersecurity expectations for funds and advisers.

Suggested Measures to Address Cybersecurity Risks

The cybersecurity framework outlined in the Division guidance largely tracks the Framework for Improving Critical Infrastructure Cybersecurity created by the National Institute of Standards and Technology (NIST) in response to President Obama's February 2013 cybersecurity executive order.⁴ The financial services sector is one of the sixteen "critical infrastructure sectors" the President has identified in PPD-21, the companion policy directive to the cybersecurity executive order released the same day.⁵ The Division offers three steps firms "may wish to consider" in addressing cybersecurity risks:

Periodic Assessments. First, the Division suggests that firms engage in periodic assessments of their cyber risk, including what information is collected, processed, and stored by the firm; the threats and vulnerabilities faced by the firm; controls currently in place; and the mechanisms and governance in place to address and manage this risk. This step largely mirrors the NIST Framework's "Identify" function, which similarly encourages the identification of the assets, business environments, governance, risks, and risk management strategies a firm has in place.

Prevent, Detect and Respond. Second, firms are encouraged to create a strategy to "prevent, detect, and respond to cybersecurity threats." This language directly tracks the NIST Framework's "Protect," "Detect," and "Respond" functions. The Division identifies five specific steps that "could" be included in a strategy: (1) network access defenses (including sufficient credentialing, firewalls, system hardening, network segregation, and tiered access); (2) encryption; (3) restricting the use of removable media and monitoring systems for unauthorized intrusions; (4) data backup and retrieval; and (5) developing an incident response plan.

Policies, Procedures and Training. Third, the Division recommends implementing this strategy through written policies, procedures, and training. The Division also suggests that firms "may wish to educate investors and clients about how to reduce their exposure."

The SEC guidance itself notes that funds and advisers may wish to consider the NIST Framework when developing a strategy to mitigate exposure to cyber attacks.

Cybersecurity "Compliance Risks"

After outlining the suggested steps firms may consider in addressing cybersecurity, the guidance indicates the Division may believe a variety of existing Commission rules and federal laws under the Commission's jurisdiction cover aspects of the cyber risks. The guidance states that funds and advisers "could also mitigate exposure" to compliance risks associated with cyber threats "through compliance policies and procedures that are reasonably designed to prevent violations of the federal securities laws." The guidance provides as examples of a compliance program that could mitigate such risks, one that addresses the following concerns: identity theft and data protection, fraud, business continuity, and disruptions in service, such as those that could affect a fund's ability to process shareholder transactions. The Division also notes that firms should "tailor their compliance programs based on the nature and scope of their businesses" and that funds and advisers should consider assessing the protective cybersecurity measures that are in place at relevant service providers on which they rely to conduct operations.

In the end notes, the guidance cites to rules on creating effective compliance programs,⁶ as well as rules related to identity theft,⁷ consumer financial privacy,⁸ fraud,⁹ and an adviser's "fiduciary obligation to its clients," which "includes obligations to its clients from being placed at risk as a result of the adviser's inability to provide advisory services[.]"¹⁰ The Division suggests that firms should consider the full range of potential compliance threats, including that "[f]raudulent activity could result from cyber or data breaches from insiders, such as fund or advisory personnel[.]"

Finally, the Division recognizes that "it is not possible for a fund or adviser to anticipate and prevent every cyber attack," but it reiterates that appropriate cybersecurity planning and implementing a "rapid response capability" may assist firms in mitigating the impact of any cyber attack "as well as complying with the federal securities laws."

Conclusion

Funds and advisers should inventory and assess their computer and communications networks and data systems, and vendors, and review their compliance policies, internal controls, strategies, and training, to confirm that they adequately cover the risks that the Division has identified. While many firms already have privacy policies, business continuity plans, and disaster recovery plans in place, some may be lacking adequate polices and controls regarding identity theft, information security and data breach, and insider threats, or that address fully the risks posed to the firm as an enterprise by cybersecurity issues. Also, as technology evolves and business operations change, it is important to update these policies, controls, and protocols. In addition, some firms may not currently have appropriate practices in place to prevent, detect, and respond to cybersecurity threats. Further, many firms may not be in the practice of providing regular training to their employees on cybersecurity matters, and may not have crisis response teams in place. In order for these programs to be effective, it is crucial that firms include their information technology teams in creating and implementing them. Firms should also consider establishing appropriate arrangements with third-party service providers (such as cybersecurity forensic experts, legal and public relations) in advance, so that if there is a cyber attack, the firm is prepared to respond immediately. Firms should also conduct diligence on their vendors and review and assess contracts with third party services providers to confirm that they appropriately address privacy and computer security matters.¹¹ While it may be initially burdensome to create these programs, doing so is important to address the legal, compliance, and business risks associated with cybersecurity matters.