5 June 2015
In April 2015, staff of the US Securities and Exchange Commission's ("SEC's") Division of Investment Management ("IM Staff") released a guidance update highlighting a number of measures that registered investment companies and registered investment advisers (including registered advisers in the real estate asset management industry) should consider in addressing cybersecurity risks. This Alert will focus on the recommendations in the guidance update affecting registered advisers. In the guidance update, the IM Staff provided the following non-exclusive set of recommended measures: (i) conduct periodic assessments; (ii) create a cybersecurity strategy; and (iii) implement the strategy through written policies and procedures, and employee training.
Conduct Periodic Assessments
The IM Staff recommended that advisers periodically assess: (i) the nature, sensitivity and location of the information that is collected, processed or stored, and the technology systems used to do so; (ii) cybersecurity threats to, and vulnerabilities of, the information and systems; (iii) existing cybersecurity controls; (iv) the potential impact of a cybersecurity incident; and (v) the adequacy of their governance framework for the management of cybersecurity risks.
The IM Staff believes that an effective periodic assessment would help identify threats and vulnerabilities, so as to better evaluate and mitigate cybersecurity risks. As part of this assessment, advisers that are affiliated with other entities that share common networks should assess the entire corporate network. While not specifically mentioned in the guidance update, advisers should include third-party service providers with access to their IT systems in their periodic assessments to understand better the potential risks.
Create a Cybersecurity Strategy
The IM Staff recommended that advisers develop and routinely test a strategy for the purpose of preventing, detecting and reacting to cybersecurity threats by:
- controlling access to data and systems (e.g., credentials, firewalls and tiered access);
- restricting the use of removable storage media and monitoring IT systems for intrusions, data loss or export or other unusual events;
- implementing data backup and retrieval processes; and
- developing an incident response plan.
The IM Staff also recommended that advisers stay up-to-date on new and continuing cyber threats by gathering information from outside resources (e.g., vendors, publications and conferences, and information sharing networks, such as FS-ISAC).
Implement the Cybersecurity Strategy
The IM Staff suggested that advisers implement the strategy through written policies and procedures, as well as a training program, that provide guidance to officers and employees concerning relevant cybersecurity threats and the measures used to prevent, detect and respond to them. The IM Staff recommended that advisers tailor their policies and procedures to their particular circumstances and that the policies and procedures provide for appropriate planning and rapid response to a cyber attack.
Additionally, in the IM Staff's view, advisers should consider their compliance obligations under the federal securities laws when assessing their cybersecurity preparedness. The IM Staff noted that compliance risks associated with cyber threats could be mitigated through the implementation of polices and procedures that are reasonably designed to prevent violations of the federal securities laws. According to the IM Staff, advisers should monitor their ongoing compliance with their cybersecurity policies and procedures. The IM Staff stated that, for example, advisers' compliance programs could address cybersecurity risks as they relate to:
- identity theft and data protection, as required by Regulation S-P (safeguarding client information) and Regulation S-ID (identity theft red flag program);
- fraud by insiders, as required by Advisers Act Rule 204A-1;
- business continuity plans that prevent clients from being placed at risk due to an adviser's inability to provide advisory services; and
- ongoing management of assets in a manner consistent with advisers' representations to clients and/or their contractual obligations to clients.
Importantly, the IM Staff acknowledged that it is not possible for an adviser to anticipate and prevent every cyber attack. However, the IM staff believes that appropriate cybersecurity measures and response planning could not only help advisers mitigate the impact of cyber attacks on themselves and clients, but also would assist advisers in complying with the federal securities laws.
The IM Staff suggested that advisers assess whether protective cybersecurity measures are in place at their relevant service providers and review their service provider contracts for appropriate provisions regarding technology issues and cybersecurity and cyber attack responsibilities. The IM Staff's latter suggestion follows after the SEC's Office of Compliance, Inspections and Examinations' ("OCIE's") observation, during its cybersecurity sweep examination, that few examined advisers incorporated cybersecurity provisions into their contracts with vendors and business partners.
The IM Staff also recommended that advisers assess the cybersecurity risk posed by service providers with access to their IT systems (e.g., reviewing contracts with vendors from a cybersecurity risk management perspective). While the guidance update does not identify any specific contractual protections, these would typically include representations and undertakings with respect to the protection of client information, audit rights to verify information security and immediate notification in the event of actual or suspected unauthorized access to client information.
In addition, the IM Staff suggested that advisers educate their clients about reducing their exposure to cybersecurity risks associated with their accounts.
The IM Staff further suggested that advisers consider obtaining cybersecurity insurance. This recommendation follows after OCIE observed that few of the advisers examined during the cybersecurity sweep examination maintained cybersecurity insurance.
This Legal Update was subsequently published by PREA on June 5, 2015.