Yesterday, staff from the SEC Division of Investment Management issued a registered investment advisor (RIA) compliance guidance update on cybersecurity. This is the second 2015 guidance update issued by staff of the Investment Management Division following its February 2015 release on acceptance of gifts or entertainment by fund advisory personnel. Yesterday's release is a major RIA compliance event as this is one of the first times that the SEC staff has directly issued guidance as it relates to how RIA firms should consider addressing information technology security and cybersecurity risk as it relates to "their ability to prevent, detect, and respond to cyber attacks."
The SEC staff notes that increased technology usage by investment advisory firms coupled with the ever changing types of cyber threats shows the need for RIA firms to review information technology security measures. This recent release also comes shortly after the February 2015 risk alert issued by the SEC following the completion of its cybersecurity examination sweep of 57 registered broker-dealers and 49 registered investment adviser (RIA) firms.
While the SEC staff is careful to note that "these suggested measures are not intended to be comprehensive and other measures may be better suited depending on the operations of a particular fund or adviser. Each fund or adviser should determine whether these or other measures need to be considered in connection with addressing cybersecurity risks," the staff highlights three main actions that an RIA firm may consider taking to help address information technology security issues. These three actions are:
- Conduct a periodic information technology security risk assessment
- Create and test a strategy that is created to "prevent, detect, and respond to cybersecurity threats"
- Implement the strategy by creating written policies and procedures and training internal staff and possibly clients
As discussed in a recent blog post, conducting an annual firm risk assessment is an essential component of the compliance program of an SEC-registered RIA firm. In this guidance, the staff is suggesting that assessing information technology security risks should be a critical part of the firm's annual compliance risk assessment. The logic of the argument is that it's hard to successfully design a cybersecurity strategy without first taking a step back and identifying the key threats and vulnerabilities that are unique to a particular advisory firm.
When crafting an information technology security strategy, the staff notes that some of the key focus areas of that strategy may include:
- Access control to systems and sensitive data
- Restricting the use of removable storage media
- Having the ability to monitor network activity for unauthorized intrusions
- Data backup and retrieval
- Creation of an incident response / business continuity plan
Lastly, the staff highlights that it's crucial that the proper written policies and procedures unique to the particular firm be implemented in order to have a process in place to "prevent, detect and respond" to information technology security threats. Every investment advisory firm needs to ensure that the firm's policies and procedures manual also properly addresses information technology security issues. Furthermore, the staff emphasizes that simply having written policies and procedures is not sufficient, it's also vital that the firm conduct the proper employee training. The staff also notes that firms may want to consider educating clients about how to protect themselves against cybersecurity incidents.
As RIA compliance consultants, we strongly recommend that the principals and Chief Compliance Officer (CCO) of all investment advisory firms review the SEC's cybersecurity guidance update in full detail as information technology security is still a very much evolving RIA compliance topic. All SEC-registered RIA firms should review their firm's compliance policies and procedures to ensure that they reflect the SEC's latest guidance on cybersecurity.