New SEC Guidelines on Cybersecurity For Registered Investment Companies/Advisors

When investors hand over their hard-earned money for investment services to either a registered investment company or a financial advisor, they expect that their investment will remain safe from cyber thieves. With the number of cyberattacks on financial institutions steadily increasing—and as financial services companies grow and become more and more technology dependent—businesses in the financial services sector will need to keep cybersecurity at the forefront of their cybersecurity strategies.

New SEC Guidelines

The U.S. Securities and Exchange Commission has issued new guidelines for financial services companies to evaluate cybersecurity risks in their operations and to identify important safety measures to help protect both client information and investment capital from cybertheft.

1. Periodic Assessments. The SEC advises financial services companies to take the time to conduct thorough periodic assessments of their cybersecurity situation. This includes evaluating current systems and controls; determining the vulnerabilities of data storage systems that the business uses; assessing potential internal and external cybersecurity threats; considering the impact that a breach would have on the business; and preparing a cybersecurity risk-management protocol.
2. Devise a Strategy. The SEC also advises that financial services companies develop a cybersecurity strategy that assesses each company’s unique cybersecurity issues, as well as detects, monitors, prevents and responds to these issues. For example, companies should:
   • Control access to computer systems i.e., limit access to systems to only those employees whose job functions require access to those systems.
   • Utilize data encryption methods.
   • Utilize data backup and retrieval systems.
   • Develop policies against the use of removable digital storage media such as thumb drives and disks.
   • Prepare an incident response plan for when the company detects a cyber threat within the company’s systems.
3. Implementation. The SEC advises that companies should confirm these cybersecurity protocols in writing for dissemination to all employees. The company should also provide training to employees to raise awareness about cybersecurity threats and to show how to handle those threats within the company. Companies might even consider educating their clients about both the potential cyber threats that exist and how the company plans to handle issues if and when they arise.

A One-Size-Fits-All Cybersecurity Solution Does Not Exist

The SEC acknowledges that each financial services company is different in terms of how they operate, what services they provide and their specific level of technological dependence. Thus each company’s cybersecurity risks are unique. The SEC guidelines suggest that each company should tailor its cybersecurity policies and protocols to suit its specific needs and operations.

The Best Offense Is a Good Defense

The SEC published these recent cybersecurity guidelines to provide financial services companies with guidance on how to take steps toward protecting themselves and their clients from cyber threats, such as hacks, thefts and attacks. While it is impossible to predict every possible form of cyber threat, raising awareness and developing prevention, detection and response strategies in advance of an incident will prompt a quicker resolution in the event that a company is the victim of a cyberattack.