Benedicte Gravrand, Opalesque Geneva:
The SEC last year examined 57 registered broker-dealers and 49 registered investment advisers to better understand how they address the legal, regulatory, and compliance issues associated with cybersecurity, and issued its initialfindings in February.
The SEC’s Division of Investment Management has now issued additional cybersecurity guidance in the form of aGuidance Update.
The Guidance Update lists a number of things that firms can do to improve their cybersecurity program, including:
1. Conduct a periodic assessment of: (1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses; (2) internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems; (3) security controls and processes currently in place; (4) the impact should the information or technology systems become compromised; and (5) the effectiveness of the governance structure for the management of cybersecurity risk. An effective assessment would assist in identifying potential cybersecurity threats and vulnerabilities so as to better prioritize and mitigate risk.
2. Create a strategy that is designed to prevent, detect and respond to cybersecurity threats. Such a strategy could include: (1) controlling access to various systems and data; (2) data encryption; (3) protecting against the loss or exfiltration of sensitive data; (4) data backup and retrieval; and (5) the development of an incident response plan.
3. Implement the strategy through written policies and procedures and training.
According to Schulte Roth & Zabel, a global law firm, most registrants will find the Guidance Update to be fairly broad and high-level. It does, however, provide more detail on what reasonable security measures are than the SEC has previously offered, and it expressly confirms that mishandling cyber risks can result in violations of the securities laws by investment companies and investment advisers.
Greater effort is expected, more tailoring is required and better training is mandated, says the law firm. However, as many managers will not be able to handle the demands internally, they are likely to get help from security and cybersecurity experts and legal and compliance experts.
Source: http://ift.tt/1bASxRF
from cyber security caucus http://ift.tt/1F7SQB0
via IFTTT
No comments:
Post a Comment