SEC to Examine Cybersecurity Policies at a Hedge Fund Near You
Notice anything different? That’s right, your favorite hedge fund technology blog got a facelift, and we didn’t stop there -- we overhauled our corporate website too. Our goal with the overhaul was to make it even easier for visitors to get the valuable information they expect from the industry’s technology leader (us!). We hope you like it.
Now on to today’s hot topic. The U.S. Securities and Exchange Commission (SEC), at a recent industry event, said that they plan to examine the policies and procedures asset managers have in place to prevent and detect cyber attacks.
Specifically, according to Reuters, SEC national associate director Jane Jarcho said, “We will be looking to see what cybersecurity policies are in place to prevent, detect and respond to cyber attacks [and] we will be looking at policies on IT training, vendor access and vendor due diligence, and what information you have on any vendors."
Some have indicated that the SEC cybersecurity exams could be coming by late-September 2014. In many cases they will be conducted as part of the SEC's routine examinations of investment companies, however, Jarcho advised that inquiries could be done as separate exams.
When it comes to reporting security incidents, Jarcho stated advisors should report material attacks only, since the reality is that there are millions of attempts at intrusion or improper access and most are minor.
How Can You Prepare for the SEC’s Cybersecurity Exam?
Here on Hedge IT we have written a ton on cybersecurity best practices and policies for investment firms. In fact, we recently ran a webinar on the topic with eSentire (listen here). Below is a recap of the steps your investment firm should take to put a cybersecurity plan in place before the SEC comes calling.
Establish and implement an Information Security Policy that outlines the layers of security you will put in place from technology and authentication protocols to restricting access and password requirements;
Create an Incident Response Plan so you are fully prepared should a security breach or cyber-attack occur;
Train your employees on Information Security Awareness because a firm’s security strategy will only work if employees are properly trained on it; and
Conduct Due Diligence on your service providers so they do not expose you to unexpected risks.