SEC urges advisers to draw up and implement cybersecurity plans

The Securities and Exchange Commission is pushing investment advisory firms to establish and implement formal, written policies to combat data breaches. “Create a strategy that is designed to prevent, detect and respond to cybersecurity threats,” the SEC Division of Investment Management said in a guidance update released on Tuesday. “Implement the strategy through written policies and procedures and training … [for] officers and employees.” The document recommends that firms conduct periodic assessments of the data it collects, the vulnerabilities of their information systems, the security controls they have in place, the potential consequences of a breach and their plan to manage such an assault. A cybersecurity strategy could include using credentials and authentication to restrict access to firm data as well as encrypting and backing up data. The guidance follows cybersecurity exams that the SEC and the Financial Industry Regulatory Authority Inc., the industry-funded broker-dealer regulator, conducted last year. Both organizations have made cybersecurity an examination priority for the past two years, and the SEC hosted a roundtable on the topic last year. The guidance underscores the fact that the SEC is making cybersecurity a regulatory obligation, said Todd Cipperman, principal at Cipperman Compliance Services. “It puts the whole cybersecurity compliance program on the chief compliance officer's desk,” Mr. Cipperman said. “It means CCOs are going to have to step up their IT game. They don't need to become IT experts, but they do need to become IT competent.” Although the guidance doesn't carry the force of a rule and is not legally binding, it does outline what the SEC will be looking for when it conducts exams. Advisers should take heed, said Brian Rubin, a partner at Sutherland Asbill & Brennan. “They should be thinking long and hard about why their procedures or processes are different from what is suggested,” Mr. Rubin said. “Broker-dealers should review [the guidance], too, even though it does not apply to them.” The next step for the SEC could be cybersecurity enforcement actions, Mr. Cipperman said. The agency also could show up at the door of an advisory firm after a data breach to assess the cyber defense it had implemented. “You ignore this guidance at your own peril,” Mr. Cipperman said.