By ECI | Friday, August 12, 2022

The SEC has proposed new rules around cyber risk management for investment advisers and funds. There’s a lot to unpack in the 224-page SEC document that delineates the new rules. But the takeaway is that investment advisers and funds must take specific actions around seven core aspects of cyber risk management: policies and procedures, access management, data protection, vulnerability management, incident response, reporting, and accountability.
To prepare your organization for compliance and protect it against cyber risk, take these 7 actions now:
1. ESTABLISH WRITTEN CYBERSECURITY PLANS, POLICIES, AND PROCEDURES.
-
Document a robust cyber risk plan.
-
Formalize your cybersecurity policies and procedures.
-
Assess, categorize, and prioritize your unique risks.
-
Classify your datasets.
-
Identify critical service providers that have access to your data.
-
Review policies and procedures at least annually.
-
Update based on business changes that could affect cyber risk.
-
Make sure documentation is easily retrievable.
2. REVIEW, DOCUMENT AND ENFORCE ACCESS MANAGEMENT BEST PRACTICES.
-
Understand that best practices for data access management are now SEC policy.
-
Create and enforce an acceptable use policy (AUP).
-
Create policies for passwords, least-privilege access, and remote access.
-
Implement multifactor authentication (MFA).
-
Closely involve IT for access management, device management, endpoint protection,and training.
-
Review and update policies regularly.
3. DEPLOY DATA PROTECTION POLICIES AND TECHNOLOGIES.
-
Monitor and protect data from unauthorized access.
-
Safeguard data based on sensitivity level and importance to operations.
-
Protect data when it’s stored and as it’s transmitted.
-
Leverage methods such as encryption, network segmentation, access controls, and automated threat detection.
-
Document which vendors have access to data.
-
Require vendors to meet cybersecurity standards and report cyber incidents.
4. MANAGE THREATS AND VULNERABILITIES.
-
Perform regular vulnerability scans.
-
Track, prioritize, and remediate known vulnerabilities.
-
Update and patch software promptly.
-
Don’t overlook device and application configuration.
-
Conduct regular penetration tests.
5. IMPLEMENT CYBERSECURITY INCIDENT RESPONSE PLANNING AND RECOVERY.
-
Develop and document an incident response plan and recovery procedure.
-
Include metrics for speed and effectiveness of response.
-
Test the response plan and fine-tune it based on results.
-
Identify ways to handle data if vendor systems become unavailable.
6. REPORT AND DISCLOSE CYBERSECURITY INCIDENTS.
-
Realize that reporting of cyber incidents is a major new SEC requirement calling for a new level of transparency.
-
Report significant cyber incidents to the SEC.
-
Publicly disclose cyber risks and incidents from the previous two fiscal years to both clients and the SEC.
7. FORMALIZE CYBERSECURITY RESPONSIBILITY AND ACCOUNTABILITY.
-
Recognize that new SEC rules formalize cybersecurity accountability.
-
Boards of directors must review and approve cybersecurity policies and procedures.
-
Boards must also understand and address cyber threats in the marketplace.
-
Alert boards to cyber incidents.
-
Inform boards about vendors that handle sensitive data.
How Can ECI help you?
Contact Us today!
Contact Us today!