Close
ThinkAdvisor

Regulation and Compliance > Federal Regulation > SEC

SEC Releases Cybersecurity Guidance for RIAs

X
Your article was successfully shared with the contacts you provided.

The Securities and Exchange Commission’s Division of Investment Management has released cybersecurity guidance to help advisors and funds address their cyber risks.

The IM Division’s April cyber guidance recommends that advisors and funds conduct periodic assessments, have a cybersecurity strategy as well as written policies and procedures to mitigate cyberattacks.

Cipperman Compliance Services warns that if advisors and funds have a data breach and have not implemented the measures described in the IM guidance, the SEC “may take regulatory action because your cybersecurity internal controls and policies and procedures were not sufficient.”

The Division says that cyberattacks on “a wide range of financial services firms highlight the need for firms to review their cybersecurity measures,” and counsels advisors and funds to implement the following strategies, to the extent they are relevant:

– Conduct a periodic assessment of the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses, as well as examine internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems.

– Create a strategy that is designed to prevent, detect and respond to cybersecurity threats. Such a strategy could include, for instance, controlling access to various systems and data via management of user credentials as well as data encryption; data backup and retrieval, the development of an incident response plan.

– Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures.

The IM staff notes that funds and advisors “should identify their respective compliance obligations under the federal securities laws and take into account these obligations when assessing their ability to prevent, detect and respond to cyberattacks.”

Funds and advisors could also mitigate exposure to any compliance risk associated with cyber threats through compliance policies and procedures “that are reasonably designed to prevent violations of the federal securities laws,” the Division says.

For example, the guidance notes that the compliance program of a fund or an advisor could address cybersecurity risk as it relates to identity theft and data protection, fraud and business continuity, as well as “other disruptions in service that could affect, for instance, a fund’s ability to process shareholder transactions.”

Related articles on ThinkAdvisor: