The Securities and Exchange Commission’s Division of Investment Management has released cybersecurity guidance to help advisors and funds address their cyber risks.
The IM Division’s April cyber guidance recommends that advisors and funds conduct periodic assessments, have a cybersecurity strategy as well as written policies and procedures to mitigate cyberattacks.
Cipperman Compliance Services warns that if advisors and funds have a data breach and have not implemented the measures described in the IM guidance, the SEC “may take regulatory action because your cybersecurity internal controls and policies and procedures were not sufficient.”
The Division says that cyberattacks on “a wide range of financial services firms highlight the need for firms to review their cybersecurity measures,” and counsels advisors and funds to implement the following strategies, to the extent they are relevant:
– Conduct a periodic assessment of the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses, as well as examine internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems.
– Create a strategy that is designed to prevent, detect and respond to cybersecurity threats. Such a strategy could include, for instance, controlling access to various systems and data via management of user credentials as well as data encryption; data backup and retrieval, the development of an incident response plan.