SEC issues cybersecurity guidance

On April 28, 2015, the SEC issued a Guidance Update as a follow-up to the cybersecurity risk alert released on February 3, 2015. It is evident that the SEC considers cybersecurity a priority and an area of high-risk for registered investment advisers and registered investment companies.

Safeguarding a firm’s confidential, proprietary and sensitive information is critical, as is performing due diligence on third parties that have access to a firm’s systems and information. For these reasons, the SEC recommends the following general guidelines to assist firms in evaluating cybersecurity risk:

  • conduct a periodic assessment of the nature, sensitivity and location of information that the firm collects, processes and/or stores and the technology systems used
  • identify internal and external cybersecurity threats to, and vulnerabilities of, the firm’s information and technology systems
  • evaluate existing security controls and processes currently in place
  • determine the impact should the information or technology systems become compromised
  • verify the effectiveness of the governance structure for management of cybersecurity risk
  • create a strategy or program designed to prevent, detect and respond to cybersecurity threats

Recommended strategies to protect a firm’s information include:

1) control access to various systems and data via user authentication and strong passwords, firewalls/perimeter defense, and tiered access to sensitive information

2) protect against loss or exfiltration of sensitive data by restricting use of removable storage media, deploying software that monitors systems for unauthorized intrusions and encryption

3) data back-up and retrieval

4) routine testing of systems

5) implementing written policies and procedures

The SEC reminds funds and advisers of their compliance obligations under federal securities laws, and to take these responsibilities into account when assessing their ability to prevent, detect and respond to cyber-attacks.

SEC issues cybersecurity guidance 2015-05-07T00:00:00.0000000 /insights/publications/compliance-and-regulatory-consulting/sec-issues-cybersecurity-guidance publication {DA6CC51B-740E-439A-B283-2BBFB5326BAA} {AB22E3A7-0FD2-43A7-91E0-C3590E9141B9} {DE05ECA4-1852-4BEF-A4E1-491CB497F9CB} {65648E61-ED08-40DF-AEE6-DB90ABD49289} {871EB752-F3E8-4991-AA79-545153989F0D} {EBC1AB28-1393-493C-AF32-19B3B0B6E171} {95D7F66C-11BB-4E7D-B07C-48874A321F98}

Related Services

Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

Cybersecurity Services

Cybersecurity support for asset managers.

Cybersecurity Services
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

By Jurisdiction

Regionally targeted assistance for asset managers in compliance program development, implementation and maintenance

By Jurisdiction
Duff & Phelps Valuation Advisory Services

Valuation Advisory

Portfolio Valuation

Alternative investment valuation for private equity and hedge funds.

Portfolio Valuation
Duff & Phelps Disputes

Disputes and Investigations and Legal Management Consulting

Global Fraud and Forensic Investigations

Expert analysis to help clients understand, prevent and manage fraud.

Global Fraud and Forensic Investigations
Duff & Phelps Compliance and Regulatory Consulting

Compliance and Regulatory Consulting

U.S. Regulation

Comprehensive support for asset managers registering in the U.S.

U.S. Regulation

Insights