SEC Cybersecurity Guidelines
April 21, 2022
Introduction
The U.S. Securities & Exchange Commission has proposed new rules under the Investment Advisors Act of 1940 and the Investment Company Act of 1940 regarding cybersecurity risk. While there are existing SEC rules for identity theft and consumer data security, there are currently none that require firms to implement comprehensive cybersecurity programs.
To address gaps in cybersecurity protections, the proposed rules include implementation of cybersecurity policies and procedures with at least annual evaluation for effectiveness. The rules are designed for each firm to tailor their policies and procedures to their business size and scope. Since this can’t really be a one-size-fits-all approach, the guidance on what will be required is intentionally vague. The rules would require advisors and funds to “adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks.”
While the end goal of the SEC is for advisors and funds to have functional, comprehensive policies, there are many different aspects that each firm needs to address to make it a reality.
Who Is Involved
Before you can start developing your cybersecurity policies, you need to identify who at your organization needs to be involved. Depending on your size, this could be a one person, a team of people, and/or include third-party experts. Your employees that specialize in technology, risk, compliance, and legal are just some of the departments that should likely be included in your cybersecurity risk management program.
As it currently stands, policy and procedures administration is up to the individual firm. This could be done entirely in-house with appropriate knowledge and expertise, or through a third-party service subject to appropriate oversight.
Risk Assessment
Per the SEC, a risk assessment is the first step in designing effective cybersecurity policies and procedures. This risk assessment is designed to identify the various risks to your business, the policies and procedures you have in place, and how dangerous each risk would be. Your risk assessment should also include any risk associated with your firm’s service providers that access, process, or maintain advisor or fund information.
As it currently stands, risk assessments can be performed in-house or by a third-party provider, but either way they must be properly documented. Your risk assessment should inform senior management of any significant risks to your business, and the ways in which you’re currently mitigating them or working toward better solutions.
While the SEC is requiring policies and procedures to be updated annually, a risk assessment does not necessarily need to be performed every year. They recommend risk assessments be performed in line with any significant business changes, such as online presence, client web access, and evolving technology.
Using the results of your risk assessment, your firm will understand your organizational risk, the critical areas that require the most attention and monetary investment, and the information that should be included in your policies and procedures.
Information Protection
Another element to the necessary policies and procedures requires advisors and funds to perform “periodic assessment if their information systems and information that resides on the systems.” Similar to the policy-based risk assessment in the previous section, this is a more technical risk assessment of things related to information storage, transmission, and systems access control. It should also include any risks associated with your firm’s service providers that access, process, or maintain advisor or fund information.
Using the results of the technical risk assessment, your firm can determine certain measures to put in place to protect your technical assets. Based on the NIST cybersecurity framework, TraceSecurity risk assessments are designed to include both the policy/procedure and technical aspects required by the SEC. Most TraceSecurity risk assessments come with our proprietary risk management software to assist you with remediation efforts and documenting improvement over time.
In the proposed rules, the SEC has provided some guidance for solutions and testing to mitigate the risks found during your risk assessment(s). While not required, the following recommendations are the standard solutions used by other types of financial institutions.
Your IT department or MSP can employ encryption, network segmentation, and access controls to prevent unauthorized access to sensitive information. Your firm can purchase 24/7/365 monitoring solutions such as Information Detection or Protection Systems (IDS/IPS), Security Information & Event Management (SIEM) Solutions, and/or log monitoring. Depending on the size and complexity of your firm, you may also consider penetration testing to test the controls you put in place.
User Security & Access
People are inherently the most vulnerable part of any organization’s information security, whether it’s employees, clients and customers, or even strangers accessing your wireless networks. The best way to mitigate the threat of human error is to operate on the concept of “least privilege,” or only giving people access to what they need.
With the increase in remote work, restricting access to specific areas or information for certain users is a necessity. Remote access technologies must be properly secured and protected by strong remote work policies, such as mobile device access, personal device access, and use of public internets.
Whether it’s for your employees or your clients accessing an online portal, your firm needs to have well-established access policies to ensure the safety and security of firm information. Acceptable use policies, multi-factor authentication, password maintenance, and account expirations are just a few examples of the policies your firm will need to implement.
Threat & Vulnerability Management
The next requirement for advisors and funds is to “detect, mitigate, and remediate cybersecurity threats and vulnerabilities” with respect to information and systems. You’ll need to perform regular vulnerability assessments against your networks, systems, and applications to find any holes in your security measures and service providers. Once you know what your vulnerabilities are, you can begin working on remediation, or mark them as “acceptable” to your organization.
The goal of vulnerability management is to minimize the window of opportunity for attackers to exploit your networks and systems. The SEC is requiring firms to create policies and procedures establishing accountability for the vulnerability assessments and their results, and a standard process for vulnerability management; including discovery, assignment, escalation, and remediation.
TraceSecurity offers vulnerability assessments with a variety of intensity depending on the size and complexity of your network(s), with options for authenticated and unauthenticated scanning. Most of our vulnerability assessment services include our vulnerability management software, designed for you to prioritize, assign, and track remediation efforts.
Incident Response & Recovery
Incident response and recovery represents a hugely important area for the development of your policies and procedures. The SEC has proposed requirements for advisors and funds to have measure to detect, respond to, and recover from cybersecurity incidents. These policies should include the continuation of business operations, protecting sensitive company information, information sharing, and reporting incidents to the SEC.
Your incident response plan should focus on operational resiliency, ability to recover critical systems or technologies (including service providers), and the timeline of recovery efforts necessary for business operations. The plan should designate the roles and personnel necessary for each aspect of response and recovery.
To test the efficacy of your incident response plan, the SEC recommends performing tabletop tests or full-scale exercises as a part of your required annual review of policies and procedures. A tabletop test involves a walkthrough of your incident response plan based on simulated scenarios, such as a fire at your office, a cybersecurity attack, or even a global pandemic. The goal here is to test how effective your plan would be in a real-world scenario, and make any necessary update or improvements to ensure prompt response and recovery.
Resources