The SEC has proposed new rules around cyber risk management for investment advisers and funds. There’s a lot to unpack in the 224-page SEC document that delineates the new rules. But the takeaway is that investment advisers and funds must take specific actions around seven core aspects of cyber risk management: policies and procedures, access management, data protection, vulnerability management, incident response, reporting, and accountability.
To prepare your organization for compliance and protect it against cyber risk, take these 7 actions now:
1. ESTABLISH WRITTEN CYBERSECURITY PLANS, POLICIES, AND PROCEDURES.
- Document a robust cyber risk plan.
- Formalize your cybersecurity policies and procedures.
- Assess, categorize, and prioritize your unique risks.
- Classify your datasets.
- Identify critical service providers that have access to your data.
- Review policies and procedures at least annually.
- Update based on business changes that could affect cyber risk.
- Make sure documentation is easily retrievable.
2. REVIEW, DOCUMENT AND ENFORCE ACCESS MANAGEMENT BEST PRACTICES.
- Understand that best practices for data access management are now SEC policy.
- Create and enforce an acceptable use policy (AUP).
- Create policies for passwords, least-privilege access, and remote access.
- Implement multifactor authentication (MFA).
- Closely involve IT for access management, device management, endpoint protection,and training.
- Review and update policies regularly.
3. DEPLOY DATA PROTECTION POLICIES AND TECHNOLOGIES.
- Monitor and protect data from unauthorized access.
- Safeguard data based on sensitivity level and importance to operations.
- Protect data when it’s stored and as it’s transmitted.
- Leverage methods such as encryption, network segmentation, access controls, and automated threat detection.
- Document which vendors have access to data.
- Require vendors to meet cybersecurity standards and report cyber incidents.
4. MANAGE THREATS AND VULNERABILITIES.
- Perform regular vulnerability scans.
- Track, prioritize, and remediate known vulnerabilities.
- Update and patch software promptly.
- Don’t overlook device and application configuration.
- Conduct regular penetration tests.
5. IMPLEMENT CYBERSECURITY INCIDENT RESPONSE PLANNING AND RECOVERY.
- Develop and document an incident response plan and recovery procedure.
- Include metrics for speed and effectiveness of response.
- Test the response plan and fine-tune it based on results.
- Identify ways to handle data if vendor systems become unavailable.
6. REPORT AND DISCLOSE CYBERSECURITY INCIDENTS.
- Realize that reporting of cyber incidents is a major new SEC requirement calling for a new level of transparency.
- Report significant cyber incidents to the SEC.
- Publicly disclose cyber risks and incidents from the previous two fiscal years to both clients and the SEC.
7. FORMALIZE CYBERSECURITY RESPONSIBILITY AND ACCOUNTABILITY.
- Recognize that new SEC rules formalize cybersecurity accountability.
- Boards of directors must review and approve cybersecurity policies and procedures.
- Boards must also understand and address cyber threats in the marketplace.
- Alert boards to cyber incidents.
- Inform boards about vendors that handle sensitive data.
WANT TO LEARN MORE? DOWNLOAD OUR IN-DEPTH WHITE PAPER, “NEW SEC RULES FOR CYBERSECURITY RISK MANAGEMENT: HOW INVESTMENT ADVISERS AND FUNDS SHOULD RESPOND TODAY.”
