Adviser use of technology to conduct business activities is on the rise, and so is the need to protect confidential and sensitive information from third parties, including information about clients, the SEC says. Underscoring the need for firms to review their cyber-security measures: a number of recent high-profile cyber-attacks on firms, from JP Morgan to the health insurer Anthem.
In February, the SEC determined that few written policies and procedures directly address how firms determine whether they are responsible for client losses associated with cyber-incidents. Lack of a specific process can prove problematic for advisers and broker/dealers accused of leaving client data or funds exposed to cyber-risks. The 2015 exam priorities, though streamlined from the previous year, will still focus on cybersecurity compliance and controls.
Advisers should consider several measures when addressing cybersecurity risk. The guidance update from the SEC’s Investment Management unit offers three steps for addressing cybersecurity.
First, conduct a periodic assessment of the nature, sensitivity and location of information that the firm collects, processes and stores, and its technology systems. Assess internal and external cybersecurity threats to and vulnerabilities of the firms information and technology systems. Diagnose the effectiveness of the governance structure for the management of cybersecurity risk. An effective assessment would help identify potential cybersecurity threats and vulnerabilities to better prioritize and mitigate risk.
Questions to ask:
- What are the security controls and processes currently in place?
- What would the impact be, should the information or technology systems become compromised?
Next, create a strategy to prevent, detect and respond to cybersecurity threats. Firms might want to consider implementing tiered access to sensitive information and network resources, network segregation, and system hardening; and using data encryption. To guard against the loss or exfiltration of sensitive data, consider restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events. Develop an incident response plan. Routine testing of strategies could also enhance the effectiveness of any strategy.
Questions to ask:
- Who has access to various systems and data?
- Should the firm adopt user credentials, authentication and authorization methods?
- Is there a firewall or are there perimeter defenses in place?
- What is the process for data backup and retrieval?
Finally, implement the strategy with written policies, procedures and training to provide guidance to officers and employees. Detail applicable threats and describe the measures that will prevent, detect and respond to such threats.
Questions to ask:
- Does the firm want to educate investors and clients about how to reduce their exposure to cyber security threats?
- Does the staff understand the policies and procedures to help monitor compliance?
The Investment Management Division recommends that advisers identify their compliance obligations under the federal securities laws and take them into account when assessing how they can prevent, detect and respond to cyber attacks. Advisers can also mitigate exposure to any compliance risk associated with cyber threats through compliance policies and procedures that are reasonably designed to prevent violations of the federal securities laws.
More information about the guidance update is on the SEC’s website.