Advisers & Funds
Got Cybersecurity? While in the past this may have just been an IT department or service provider concern, with the SECís recent Risk Alert announcing that itís conducting a sweep exam of cybersecurity issues, this is quickly becoming a primary focus for CCOs. While we expect the SEC will publish their findings from the sweep and likely issue guidance or propose a regulatory requirement as a result of their findings, this will take time and we recommend CCOs start looking at this now. But where do you start?
- Review the sample document request letter included in the Risk Alert. Use this as a guide to assess what controls you have in place, where there may be gaps and develop a plan to put additional controls and documentation in place.
- Talk to people Ė your IT team, external vendors, service providers, business lines. Start with understanding what is currently in place to address cybersecurity matters. What are your firmís risks and corresponding controls to address such risks? Document what you learn.
- Review your service providersí controls and get representation/certifications from them. This should be considered as part of your assessment of your firmís risks and corresponding controls.
- Consider implementing an incident response plan. How will you respond to a cybersecurity breach? Who will be involved? Your incident response plan should address the following:
- Information that needs to be protected;
- Key risks;
- Existing controls (considerations include: internal controls and resources, external resources, vendor due diligence, insurance); and
- Steps to take when an incident occurs (considerations include: verification, investigation, remedial action, communication, documentation and training).
- Perform training Ė make sure staff is aware of the risks and what they should do if they suspect or identify an issue.
- Consider incorporating cybersecurity matters into your compliance program (risk assessment process, policies and procedures and annual review) and the firmís overall risk management processes. Consider whether an information security policy is appropriate for your firm.
We will work with our clients to determine what action is appropriate at this time. Please contact us with any questions.