Cybersecurity: SEC Outlines Steps You Can Take
Cyber attacks, and the threat they pose to firms that provide finance-related services and their clients, prompted the recent release by the SEC’s Division of Investment Management of some steps that can protect against them. The SEC intended the tips for financial services firms and advisors, but they are applicable more broadly to retirement plan administrators, sponsors and participants, as well as third party administrators.
The guidance points out that the use of technology makes it necessary to protect confidential and sensitive information from third parties. Its suggestions include the following steps, which track a time-tested solution process: (1) assess; (2) develop an appropriate strategy; and (3) implement that strategy.
1. Conduct a periodic assessment of:
- the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses;
- internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
- security controls and processes currently in place;
- the potential impact if the information or technology systems become compromised; and
2. Create a strategy designed to prevent, detect and respond to cybersecurity threats and that includes:
- the effectiveness of the governance structure for the management of cybersecurity risk.
- controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation and system hardening;
- protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events;
- data backup and retrieval; and
3. Implement the strategy through written policies and procedures and training that:
- the development of an incident response plan. Routine testing of strategies could also enhance the effectiveness of any strategy.
- provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats; and
- monitor compliance with cybersecurity policies and procedures.
Additional steps that can be taken include:
- educating investors and clients about how to reduce their exposure to cyber security threats concerning their accounts;
- mitigating exposure to any compliance risk associated with cyberthreats through compliance policies and procedures that are reasonably designed to prevent violations of the federal securities laws.
- reviewing operations and compliance programs; and
- assessing whether measures are in place that will mitigate exposure to cybersecurity risks.
The SEC argues that appropriate planning to address cybersecurity and a rapid response capability may help in mitigating the impact of any attacks and their related effects on investors and clients, and in complying with federal securities laws.