SEC Issues IM Guidance on Cybersecurity 4-30-2015

Conspicuous Compliance
Horrigan Resources
your compliance partner ... one and done
April 2015
Volume 15, Number 101
Special Issue
Cybersecurity: SEC Issues IM Guidance Update No. 2015-02
Background
Third time is a charm! Since April of 2014, the SEC has issued two Risk Alerts to the regulated
community about their concerns related to cybersecurity threats. On April 28, 2015, the SEC
illuminated cyber risk compliance risk further by issuing direct guidance to investment advisers and
investment companies in the form of IM Guidance Update 2015-02 [Cybersecurity Guidance]. This
guidance highlights the importance of protecting confidential and sensitive information and
discusses measures that firms should consider in an effort to reduce cybersecurity risk.
Before we highlight key provisions of the IM Guidance Update, let’s consider the landscape.
- page 2 -
Every Firm is at Risk
Data breaches occur every day and most businesses don’t know they have been compromised.
Several widely publicized cyber intrusions (i.e., enterprise-wide with multi-million dollar cyber
security budgets) were not detected for many months, and in some cases, years. We highlight below
some interesting facts from the PwC 2014 US State of Cybercrime Survey. 1
♦ The US Director of National Intelligence has ranked cybercrime as the top national security
threat, higher than that of terrorism, espionage, and weapons of mass destruction.
♦ In 2013 the FBI notified more than 3,000 companies – ranging from small banks, major
defense contractors, and leading retailers – that they had been victims of cyber intrusions.
♦ 69% of US executives are worried that cybercrime will impact growth.
♦ 7% of US organizations lost $1 million or more due to cybercrime incidents in 2013.
♦ 77% of survey respondents detected a security event in the past 12 months, and more than a
third said the number of security incidents detected increased over the previous year.
♦ The average number of security incidents detected in 2013 was 135 per organization. This
does not account for those incidents that go undetected, given that the 3,000 companies
mentioned above were unaware of cyber intrusions until they had been notified.
♦ The most frequent types of cybercrime include malware, phishing, network interruption,
spyware, and denial of service attacks.
♦ 26% of respondents that had detected a cybersecurity incident could not identify the source of
the attack.
♦ 28% of respondents pointed the finger at insiders, which includes trusted parties such as
current and former employees, service providers, and contractors.
♦ The consequences of cybercrime perpetrated by insiders are material:
o Loss of confidential/proprietary data 11%
o Reputational harm 11%
o Critical system disruption 8%
o Loss of current or future revenue 7%
o Loss of customers 6%
♦ The mechanisms used to commit cybercrimes are noteworthy:
o Social engineering 21%
o Laptops 18%
o Remote access 17%
o E-mail 17%
o Copy data to mobile device 16%
♦ The survey revealed a significant correlation between the level of spending on cybersecurity
and the number of incidents detected.
♦ Banking and finance respondents spent as much as $2,500 per employee (median) on
cybersecurity in 2013.
♦ 42% said security education and awareness for new employees played a role in deterring a
potential criminal, among the highest of all policies and technologies used for deterrence.
1
www.pwc.com/cybersecurity
- page 3 -
IM Guidance Update
In the SEC staff’s view, there are a number of steps funds and advisers should take to thwart
cybercrime, as outlined below.
Assessment
Funds and advisers are urged to periodically assess the nature, sensitivity and location of
information collected, processed and stored, along with the technology
systems used. Firms must further assess inside and outside threats to
enterprise information and technology systems. The assessment should
evaluate internal controls and processes associated with security and further
evaluate the impact of a data breach or compromise of technology systems.
Importantly, the assessment process should consider the efficacy of the
governance structure for the management of cybersecurity risk. The objective of the assessment
must be to better identify cyber threats and effectively mitigate the associated risk.
Cybersecurity Strategy
The SEC expects funds and advisers to create a cybersecurity strategy designed to prevent, detect,
and resolve cybersecurity threats. The strategy should consider:
♦ Data access through user credentials
♦ Authentication and authorization methods
♦ Firewalls and perimeter defenses
♦ Tiered access to sensitive information and network resources
♦ Network segregation
♦ System hardening (removal of unnecessary programs/users and program updates/patches)
♦ Restricted use of removable storage media
♦ Monitoring of network intrusions, data breach, and other cyber threats
♦ Data back-up and retrieval
♦ Preparation of an incident response plan
♦ Periodic testing of cyber strategy
- page 4 -
Written Policies / Procedures and Training
The IM Guidance urges funds and advisers to adopt policies and
procedures to govern the implementation of cyber strategies.
Policies should require periodic training of employees to ensure
they understand their obligations to help protect the enterprise.
The SEC urges registrants to educate clients and investors about
how they may reduce their exposure to cyber threats. To the extent
registrants rely upon third party service providers to carry out their
business, the assessment should evaluate the internal controls employed by these providers to
mitigate cybersecurity risk. Remember that delegation to a third party by a fund or adviser does not
absolve the firm from liability nor obviate the firm’s fiduciary duty.
Next Steps
At Horrigan Resources, we stand ready to assist our clients in addressing the full range of risk
management metrics referenced in the SEC’s IM Guidance Update. Commencing in September,
2014, we initiated a partnership with an IT specialist to launch a new service offering – the HRL
Cybersecurity & IT Risk Assessment. Our service combines the technological capability to assess
and enhance our clients’ cyber risk posture, with comprehensive cyber policies and procedures to
protect the enterprise and meet new regulatory standards. We welcome your contact at any time to
discuss your needs and partner with you in this important endeavor.
--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
For more compliance information and timely resources, please check out our website:
www.horriganresources.com
Horrigan Resources, Ltd.
3000 Village Run Road
Building 103, #209
Wexford, PA 15090
(724) 934-0129
[email protected]
© 2015 Horrigan Resources, Ltd. All rights reserved. Reproduction or redistribution of Conspicuous Compliance is strictly forbidden without prior
written permission of Horrigan Resources, Ltd. This publication has been prepared for your general information and no responsibility is taken for
any errors or omissions. While all care has been taken in its preparation, no warranty is given as to the accuracy of the information.
This publication is not intended to provide legal advice.