The Blog Of The Securities Industry Professional Association

Securities and Exchange Commission’s Cyber Security Guidance


Securities and Exchange Commission’s Cyber Security Guidance
By Doug Kamin, Senior Compliance Consultant Regulatory Compliance

On April 28, 2015 The Securities and Exchange Commission (“SEC”) Division of Investment Management released Cybersecurity Guidance IM 2015-02 for registered investment companies (“Funds”) and registered investment advisers (“Advisers”). Earlier this year the SEC announced that cybersecurity would be an examination priority for 2015. The Guidance is important since it discusses specific measures (i.e. best practices) that funds and advisers should consider when addressing cyber security risks.

In the Guidance, the SEC stated that to mitigate their exposure, Funds and Advisers should consider the following items when addressing cybersecurity risk:

A. Conduct a periodic risk assessment to identify potential cybersecurity threats and vulnerabilities by assessing;
(1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses,
(2) internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems,
(3) security controls and processes currently in place,
(4) the impact should the information or technology systems become compromised, and
(5) the effectiveness of the governance structure for the management of cybersecurity risk.

B. Create a strategy that is designed to prevent, detect and respond to cybersecurity threats. Such a strategy could include;
(1) controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation, and system hardening,
(2) data encryption,
(3) protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events,
(4) data backup and retrieval,
(5) the development of an incident response plan, and
(6) routine testing of the effectiveness of strategies.

C. Implement the strategy through written policies and procedures and training providing guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and monitor compliance with cybersecurity policies and procedures.

D. Firms may also educate investors and clients about how to reduce their exposure to cyber security threats concerning their accounts.

Funds and Advisers can mitigate exposure to compliance risks associated with cyber threats through implementation of effective written policies and procedures customized based on the nature and scope of the firm’s business. Compliance programs should address cybersecurity risk as it relates to identity theft and data protection, fraud, and business continuity, as well as other disruptions in service. Funds and Advisers should also assess whether protective cybersecurity measures are in place at key service providers.

If you have questions related to compliance obligations, compliance requirements, or other compliance topics, please contact Regulatory Compliance at 888-REG-COMP (888-734-2667).


Post Metadata

May 19th, 2015



Comments are closed.