The SEC has offered definitive guidance on Cybersecurity, tying failures or shortcomings in practices to specific Rules and Regulations and paving the way for potential enforcement. While we have been discussing the path the SEC was implying for some months in the wake of the Cybersecurity Sweep results of February 3, 2015, we now have concrete regulatory direction offered by the Division of Investment Management in its “Cybersecurity Guidance” released on April 28. Make no mistake about it, the guidance is clear and actionable and the penalties for non-compliance may be severe. The Division of Investment Management noted in the closing paragraph of its Guidance Update that “Appropriate planning to address cybersecurity and rapid response capability may… assist funds and advisers in mitigating the impact of any such attacks any related effects on fund investors and advisory clients, as well as complying with the federal securities laws.”
This is a direct shot across the bow: Ignorance, minimization, or failures of cybersecurity practices could be treated by the SEC as a violation of Federal Securities laws, including:
- Fraud provisions of the Investment Advisers Act of 1940
- Rule 206(4)-7 (The Compliance Rule)
- Regulation S-ID (Identity Theft Red Flags)
- Regulation S-P (Privacy of Consumer Financial Information)
- Rule 204A-1 (Investment Adviser Codes of Ethics)
- Section 22(e) and Rule 22c-1 of the Investment Company Act of 1940.
So, now that the regulatory guidance is out and crystal, what steps should you take immediately?
1) Conduct a cybersecurity risk assessment and gap analysis. There is a well-defined understanding now that any risks identified in such a process must percolate through to your firm’s risk matrix or other risk management mechanisms. These risks should be defined and well understood by senior management and/or the fund board. As defined in the Guidance, your assessment should:
- Consider the nature, sensitivity, and location of information that your firm collects. There is a clear suggestion here that a firm must implement some form of a data classification policy in order to properly identify such information.
- Consider internal and external threats and vulnerabilities. This can be accomplished in a number of different ways and by different parties. What we would stress here is that, if your IT department or staff are the responsible parties for the identification of risks, their process must be understood by the compliance function and reporting of such risks must be made on a regular basis to compliance for review and assessment in light of Rule 206(4)-7.
- Consider security controls and processes currently in place. Any weaknesses noted should be remediated in a timely manner. We would recommend that gaps noted or weaknesses identified be prioritized in terms of their likelihood and severity. Those with the highest combined “scores” should be addressed first.
- Consider the impact of system breach. Your firm must have a plan in place whereby it understands clearly what data resides where (see point a., above). Only by concretely understanding what data a firm maintains and where, can it begin to understand the impact of compromise of a single system or the entire network.
- Consider the effectiveness of your cybersecurity governance structure. Your structure must be tailored to your firm’s own unique needs and now, at a minimum, must consider its abilities to identify, react to, and remediate weaknesses.
2) Create a strategy that is designed to prevent, detect, and respond to cybersecurity threats. The Division of Investment Management noted in a footnote, and we highly recommend, that firms consider the utilization of the NIST Cybersecurity Framework to assist in this process. Beyond the DIM’s suggestion, we have highlighted 5 reasons to consider implementation of the NIST CSF in a White Paper Here (link will open in a new window). The DIM noted several granular topics that must be understood by the compliance function and executive management:
- Data Segregation and Restriction including through the utilization of credentials, access and authorization methods, firewalls and tiered access to information and resources. The Guidance also suggested as part of this that your strategy consider system hardening. We treat system hardening through restrictive access, removal of unnecessary applications, and continual updating and patching as a bedrock principal required of any organization looking to even minimally protect assets.
- Data Encryption – Your firm must have a discussion (and we would recommend documenting it) surrounding data encryption. Most firms encrypt data in transit through SSL/TLS. While this is a common best practice and necessary first step, your plans must go further. Due consideration must be given to encryption of data at rest and the feasibility of folder- or file-level encryption. Keep in mind that most states’ notification requirements do not consider that loss of or access to encrypted information constitutes breach. The SEC will likely consider this in the same light. Additionally and as part of your understanding of data location, you must include all cloud-based data in your discussion of encryption. If you have backups or data stored in the cloud, you must consider this as part of your third-party due diligence.
- Data Loss Prevention must be considered within your program. The risk of loss of sensitive data through exfiltration (malicious or not) is real and considerable. The hardening of systems, discussed above, should be extended to include the isolation or restriction of the use of removable media, third-party storage sites, and personal email.
- Backup and Retrieval must be considered in any cybersecurity plan. Not only must you consider the utilization of backups in the event of a cybersecurity incident (indeed in the case of cryptolocker-type attacks it’s the only effective way to get back up and running) but also the security of those backups wherever they reside.
- The development of an Incident Response Plan is key. While you can leverage the team structures outlined in your Business Continuity or Disaster Recovery plans, keep in mind that a cybersecurity incident Recovery Plan will have distinct items that must be covered, including the type of attack and the networks and systems affected.
3) Review your policies and procedures and training to ensure that they adequately consider threats and measures to prevent, detect, and respond to threats. Additionally, the Guidance suggests that as part of the written P&P (and part of your 206(4)-7 obligations) that you have effective controls in place to monitor compliance with your written P&P. The DIM made an excellent suggestion as well in the recommendation that customers and investors be considered in cybersecurity risk training. Simple techniques to remind your clients of what information you do or do not ask for, as well as reminding them of general online security practices can make both their online experience more secure and reduce your threat surface.
The above action points are a summary of the Division’s Guidance Update and should in no way be considered an exhaustive checklist for cybersecurity by Investment Advisers and Investment Companies. What is clear to us, however, is that the SEC has laid down the regulatory gauntlet: Compliance, Legal, and Executives MUST be involved in a firm’s cybersecurity governance and risk management process. Failures on the part of these functions could well be deemed to be a failure to comply with Federal Securities Laws and an enforceable event.
For Further Reading: (Links Will Open in a New Window)