SEC Issues Cybersecurity Guidance

hacker

Last year, the SEC raised a cloud of concern when it started its cybersecurity initiative aimed at broker/dealers, investment advisers and fund managers. Based on an interview last month it seems that initiative would continue into a phase 2. The SEC recently released its Cybersecurity Guidance that enunciates some steps investment advisers and fund managers can take to improve their ability to repel cyber threats.

1. Conduct a periodic assessment.

2. Create a strategy to prevent, detect and respond to cybersecurity threats.

3. Implement the strategy.

Of course, cybersecurity is important and all advisers and fund managers should take it seriously.

I do get hung up on the SEC’s statement that a firm’s initiative should be part of a compliance initiative “reasonable designed to prevent violations of the federal securities law.” I think the SEC is stretching the anti-fraud provisions of Section 206 beyond where they should go.

As the guidance point out, it is not possible to anticipate and prevent every cyber attack. If a bad actor wants to attack your systems, the bad actor can eventually get into your systems. Is that breach a compliance failure or not? The SEC’s guidance is setting complex security protocols as a legal compliance issue.

I’m skeptical that there are many people in the SEC’s IM division who understand cybersecurity protocols. I’m just as skeptical that there are many adviser/fund manager CCOs who understand cybersecurity protocols. But the SEC is insisting that cybersecurity protocols fall under the aegis of the the Section 206 anti-fraud provisions.

Sources:

Hacker by Dani Latore
CC BY SA
https://www.flickr.com/photos/dlato/6437570877/

For those of you getting this by email, you should see a slightly different look. I changed providers. Let me know if you encounter any problems.

 

Author: Doug Cornelius

You can find out more about Doug on the About Doug page

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.