Client Alerts

SEC Advises Investment Companies and Registered Advisers to Formulate and Implement a Cybersecurity Plan

By: Frances Floriano Goins and Candice L. Musiek Capoziello

About: Cybersecurity & Privacy

On April 28, 2015, the SEC Division of Investment Management issued an Investment Management Guidance Update identifying cybersecurity as an important concern for investment companies and registered advisers. To prevent, detect, and respond to cybersecurity threats, the SEC recommends that these entities conduct periodic risk assessments, design a cybersecurity strategy intended to prevent, detect, and respond to threats, and implement that strategy.

Conducting Risk Assessments

The SEC suggests that investment companies and advisers consider the following when assessing cybersecurity risks and potential threats:

Preventing, Detecting, and Responding to Cybersecurity Risk

Likewise, the SEC suggests that policies for prevention, detection, and response include the following considerations:

Implementing a Strategy

The SEC recommends implementing data protection and cybersecurity plans with written policies and procedures, supplemented by training, education, and guidance for employees. Additionally, investment companies and advisers should provide education to investors and clients about how to reduce their exposure to threats that could potentially affect their accounts.

Cybersecurity and Compliance with Federal Securities Laws

The SEC cybersecurity guidance also states that investment companies and registered advisers should consider their compliance obligations under federal securities laws when assessing and implementing cybersecurity policies. The SEC recommends designing cybersecurity policies that are tailored to the nature and scope of the company’s or adviser’s business. For example, a company heavily involved with processing shareholder transactions should have a cybersecurity plan in place that addresses the specific compliance implications of disruptions in service. Additionally, the SEC recommends that companies and advisers critically examine their contracts with service providers to determine whether those providers have sufficient cybersecurity measures in place.

Questions? Contact us.

Ulmer & Berne is committed to monitoring developments and trends in cybersecurity, and will continue providing you with additional information and insight on the expanding impact of cybersecurity and data privacy laws. Supplemented by our strong financial services practice, our data privacy and information security practitioners are uniquely positioned to help financial institutions of all size put strong, effective cybersecurity policies in place. If you have any questions, or would like additional information, please contact a member of the Data Privacy & Information Security Practice at Ulmer & Berne LLP.