InfoBytes Blog
SEC Publishes Cybersecurity Guidance for Registered Investment Companies and Advisers
On April 30, the SEC’s Division of Investment Management issued IM Guidance Update No. 2015-02 which highlights measures that investment companies and advisers may wish to consider in addressing cybersecurity risks. The guidance urges firms to adopt a three-pronged approach including, among other things: Conducting a periodic assessment of (1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses; (2) internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems; (3) security controls and processes currently in place; (4) the impact should the information or technology systems become compromised; and (5) the effectiveness of the governance structure for the management of cybersecurity risk. Second, creating a strategy designed to prevent, detect, and respond to cybersecurity threats, and third, implementing the strategy through written policies and procedures. The Division’s guidance also warned investment companies and advisers about third-party vendor agreements that could potentially lead to unauthorized access of investors’ information.