Cybersecurity Procedures Recommendations from SEC Staff
The SEC’s Division of Investment Management has issued a Guidance Update on Cybersecurity, recommending periodic assessments, a cybersecurity strategy, and written policies and procedures. The staff recommends that advisers and fund managers conduct a periodic assessment that locates confidential information, identifies threats and vulnerabilities, reviews security controls, and assesses the impact of an attack and the firm’s governance structure. The staff also recommends that firms create a strategy to control access to confidential information, restricts the use of removable storage media, encrypts data, ensures data backup and retrieval, and develops an incident response plan. The staff also recommends specific compliance policies and procedures and training.
OUR TAKE: If you have a data breach and you have not implemented the measures described in the Guidance, the SEC has warned you that it may take regulatory action because your cybersecurity internal controls and policies and procedures were not sufficient.