SEC Issues IM Guidance on Cybersecurity 4-30-2015
Conspicuous Compliance Horrigan Resources your compliance partner ... one and done April 2015 Volume 15, Number 101 Special Issue Cybersecurity: SEC Issues IM Guidance Update No. 2015-02 Background Third time is a charm! Since April of 2014, the SEC has issued two Risk Alerts to the regulated community about their concerns related to cybersecurity threats. On April 28, 2015, the SEC illuminated cyber risk compliance risk further by issuing direct guidance to investment advisers and investment companies in the form of IM Guidance Update 2015-02 [Cybersecurity Guidance]. This guidance highlights the importance of protecting confidential and sensitive information and discusses measures that firms should consider in an effort to reduce cybersecurity risk. Before we highlight key provisions of the IM Guidance Update, let’s consider the landscape. - page 2 - Every Firm is at Risk Data breaches occur every day and most businesses don’t know they have been compromised. Several widely publicized cyber intrusions (i.e., enterprise-wide with multi-million dollar cyber security budgets) were not detected for many months, and in some cases, years. We highlight below some interesting facts from the PwC 2014 US State of Cybercrime Survey. 1 ♦ The US Director of National Intelligence has ranked cybercrime as the top national security threat, higher than that of terrorism, espionage, and weapons of mass destruction. ♦ In 2013 the FBI notified more than 3,000 companies – ranging from small banks, major defense contractors, and leading retailers – that they had been victims of cyber intrusions. ♦ 69% of US executives are worried that cybercrime will impact growth. ♦ 7% of US organizations lost $1 million or more due to cybercrime incidents in 2013. ♦ 77% of survey respondents detected a security event in the past 12 months, and more than a third said the number of security incidents detected increased over the previous year. ♦ The average number of security incidents detected in 2013 was 135 per organization. This does not account for those incidents that go undetected, given that the 3,000 companies mentioned above were unaware of cyber intrusions until they had been notified. ♦ The most frequent types of cybercrime include malware, phishing, network interruption, spyware, and denial of service attacks. ♦ 26% of respondents that had detected a cybersecurity incident could not identify the source of the attack. ♦ 28% of respondents pointed the finger at insiders, which includes trusted parties such as current and former employees, service providers, and contractors. ♦ The consequences of cybercrime perpetrated by insiders are material: o Loss of confidential/proprietary data 11% o Reputational harm 11% o Critical system disruption 8% o Loss of current or future revenue 7% o Loss of customers 6% ♦ The mechanisms used to commit cybercrimes are noteworthy: o Social engineering 21% o Laptops 18% o Remote access 17% o E-mail 17% o Copy data to mobile device 16% ♦ The survey revealed a significant correlation between the level of spending on cybersecurity and the number of incidents detected. ♦ Banking and finance respondents spent as much as $2,500 per employee (median) on cybersecurity in 2013. ♦ 42% said security education and awareness for new employees played a role in deterring a potential criminal, among the highest of all policies and technologies used for deterrence. 1 www.pwc.com/cybersecurity - page 3 - IM Guidance Update In the SEC staff’s view, there are a number of steps funds and advisers should take to thwart cybercrime, as outlined below. Assessment Funds and advisers are urged to periodically assess the nature, sensitivity and location of information collected, processed and stored, along with the technology systems used. Firms must further assess inside and outside threats to enterprise information and technology systems. The assessment should evaluate internal controls and processes associated with security and further evaluate the impact of a data breach or compromise of technology systems. Importantly, the assessment process should consider the efficacy of the governance structure for the management of cybersecurity risk. The objective of the assessment must be to better identify cyber threats and effectively mitigate the associated risk. Cybersecurity Strategy The SEC expects funds and advisers to create a cybersecurity strategy designed to prevent, detect, and resolve cybersecurity threats. The strategy should consider: ♦ Data access through user credentials ♦ Authentication and authorization methods ♦ Firewalls and perimeter defenses ♦ Tiered access to sensitive information and network resources ♦ Network segregation ♦ System hardening (removal of unnecessary programs/users and program updates/patches) ♦ Restricted use of removable storage media ♦ Monitoring of network intrusions, data breach, and other cyber threats ♦ Data back-up and retrieval ♦ Preparation of an incident response plan ♦ Periodic testing of cyber strategy - page 4 - Written Policies / Procedures and Training The IM Guidance urges funds and advisers to adopt policies and procedures to govern the implementation of cyber strategies. Policies should require periodic training of employees to ensure they understand their obligations to help protect the enterprise. The SEC urges registrants to educate clients and investors about how they may reduce their exposure to cyber threats. To the extent registrants rely upon third party service providers to carry out their business, the assessment should evaluate the internal controls employed by these providers to mitigate cybersecurity risk. Remember that delegation to a third party by a fund or adviser does not absolve the firm from liability nor obviate the firm’s fiduciary duty. Next Steps At Horrigan Resources, we stand ready to assist our clients in addressing the full range of risk management metrics referenced in the SEC’s IM Guidance Update. Commencing in September, 2014, we initiated a partnership with an IT specialist to launch a new service offering – the HRL Cybersecurity & IT Risk Assessment. Our service combines the technological capability to assess and enhance our clients’ cyber risk posture, with comprehensive cyber policies and procedures to protect the enterprise and meet new regulatory standards. We welcome your contact at any time to discuss your needs and partner with you in this important endeavor. -------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------- For more compliance information and timely resources, please check out our website: www.horriganresources.com Horrigan Resources, Ltd. 3000 Village Run Road Building 103, #209 Wexford, PA 15090 (724) 934-0129 [email protected] © 2015 Horrigan Resources, Ltd. All rights reserved. Reproduction or redistribution of Conspicuous Compliance is strictly forbidden without prior written permission of Horrigan Resources, Ltd. This publication has been prepared for your general information and no responsibility is taken for any errors or omissions. While all care has been taken in its preparation, no warranty is given as to the accuracy of the information. This publication is not intended to provide legal advice.
© Copyright 2024