Regulation and Compliance Federal Regulation SEC

SEC Releases Cybersecurity Guidance for RIAs

April 29, 2015 at 08:27 AM
Share & Print

The Securities and Exchange Commission's Division of Investment Management has released cybersecurity guidance to help advisors and funds address their cyber risks.

The IM Division's April cyber guidance recommends that advisors and funds conduct periodic assessments, have a cybersecurity strategy as well as written policies and procedures to mitigate cyberattacks.

Cipperman Compliance Services warns that if advisors and funds have a data breach and have not implemented the measures described in the IM guidance, the SEC "may take regulatory action because your cybersecurity internal controls and policies and procedures were not sufficient."

The Division says that cyberattacks on "a wide range of financial services firms highlight the need for firms to review their cybersecurity measures," and counsels advisors and funds to implement the following strategies, to the extent they are relevant:

– Conduct a periodic assessment of the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses, as well as examine internal and external cybersecurity threats to and vulnerabilities of the firm's information and technology systems.

– Create a strategy that is designed to prevent, detect and respond to cybersecurity threats. Such a strategy could include, for instance, controlling access to various systems and data via management of user credentials as well as data encryption; data backup and retrieval, the development of an incident response plan.

– Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures.

The IM staff notes that funds and advisors "should identify their respective compliance obligations under the federal securities laws and take into account these obligations when assessing their ability to prevent, detect and respond to cyberattacks."

Funds and advisors could also mitigate exposure to any compliance risk associated with cyber threats through compliance policies and procedures "that are reasonably designed to prevent violations of the federal securities laws," the Division says.

For example, the guidance notes that the compliance program of a fund or an advisor could address cybersecurity risk as it relates to identity theft and data protection, fraud and business continuity, as well as "other disruptions in service that could affect, for instance, a fund's ability to process shareholder transactions."

SEC
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Gensler Makes Final Pitch on SEC Crypto Rules Who Might Succeed Gensler as SEC Chair Invesco to Pay $17.5M Over Misleading Statements What's at Stake in the Ameriprise-LPL Fight Over Client Data SEC Enforcement Chief Doubles Down on Need for Texting Crackdown Ex-Merrill Wealth Chief Launches RIA

Resource Center

The Business Model Playbook: Mastering Technology for Firm Success link

Playbook

The Business Model Playbook: Mastering Technology for Firm Success

Harnessing AI to Power Advisor-Client Relationships link

White Paper

Harnessing AI to Power Advisor-Client Relationships

MDRT Multi-Country Survey Report link

Report

MDRT Multi-Country Survey Report