Last year, the SEC raised a cloud of concern when it started its cybersecurity initiative aimed at broker/dealers, investment advisers and fund managers. Based on an interview last month it seems that initiative would continue into a phase 2. The SEC recently released its Cybersecurity Guidance that enunciates some steps investment advisers and fund managers can take to improve their ability to repel cyber threats.
1. Conduct a periodic assessment.
2. Create a strategy to prevent, detect and respond to cybersecurity threats.
3. Implement the strategy.
Of course, cybersecurity is important and all advisers and fund managers should take it seriously.
I do get hung up on the SEC’s statement that a firm’s initiative should be part of a compliance initiative “reasonable designed to prevent violations of the federal securities law.” I think the SEC is stretching the anti-fraud provisions of Section 206 beyond where they should go.
As the guidance point out, it is not possible to anticipate and prevent every cyber attack. If a bad actor wants to attack your systems, the bad actor can eventually get into your systems. Is that breach a compliance failure or not? The SEC’s guidance is setting complex security protocols as a legal compliance issue.
I’m skeptical that there are many people in the SEC’s IM division who understand cybersecurity protocols. I’m just as skeptical that there are many adviser/fund manager CCOs who understand cybersecurity protocols. But the SEC is insisting that cybersecurity protocols fall under the aegis of the the Section 206 anti-fraud provisions.
Sources:
- Cybersecurity Guidance from the SEC’s Division of Investment Management
- Cybersecurity best practices suggested by the SEC’s Division of Investment Management in IA Watch
- Cybersecurity Phase 2
Hacker by Dani Latore
CC BY SA
https://www.flickr.com/photos/dlato/6437570877/
For those of you getting this by email, you should see a slightly different look. I changed providers. Let me know if you encounter any problems.