May 14, 2021

Volume XI, Number 134


May 13, 2021

Subscribe to Latest Legal News and Analysis

May 12, 2021

Subscribe to Latest Legal News and Analysis

May 11, 2021

Subscribe to Latest Legal News and Analysis

Division of Investment Management Issues Cybersecurity Guidance-- Securities and Exchange Commission

On April 28, 2015, the staff of the Division of Investment Management of the SEC published a Guidance Update addressing cybersecurity risks and the need for funds and advisers to protect confidential
and sensitive information concerning fund investors and advisory clients. The staff noted that cyber-attacks on a wide range of financial services firms highlight the need for firms to review their cybersecurity measures.

The staff remarked that funds and advisers should identify their respective compliance obligations
under the federal securities laws and take into account these obligations when assessing their ability to prevent, detect and respond to cyber-attacks. The staff identified a number of measures that funds and advisers may wish to consider in addressing cybersecurity risk, including the following to the extent they are relevant:

  • Conduct a periodic assessment of: (1) the type, sensitivity and location of information that the firm collects, processes and/or maintains, and the technology systems it uses for such purposes; (2) internal and external cybersecurity threats and vulnerabilities of the firm’s information
    and technology infrastructure; (3) security controls and processes currently in place; (4) the potential consequences of a breach in the firm’s information or technology systems; and (5) the effectiveness of the governance structure for the management of cybersecurity risks.

  • Create a cybersecurity strategy to mitigate, identify and respond to cybersecurity threats, including: “(1) controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation and system hardening; (2) data encryption; (3) protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events; (4) data backup and retrieval; and (5) the development of an incident response plan.”

  • Implement the cybersecurity strategy by means of written policies and procedures and through training that enables officers and employees to appreciate applicable threats and understand the measures designed to prevent, identify and respond to such threats, and that monitor compliance with such policies and procedures.

    The staff noted that because funds and advisers are varied in their operations, they should tailor their compliance programs based on the nature and scope of their businesses. Additionally, the staff noted that funds and advisers may also wish to consider assessing whether protective cybersecurity measures are in place at relevant service providers. The staff recognized that it is not possible for a fund or adviser to anticipate and prevent every cyber-attack, but that a fund’s or adviser’s appropriate planning to address cybersecurity and a rapid response capability may assist funds or advisers in mitigating the impact of any such attack, as well as complying with the federal securities laws.

    The Guidance Update is available at 

© 2021 Vedder PriceNational Law Review, Volume V, Number 144



About this Author

Nathaniel Segal Investment Attorney Vedder Price Law Firm

Nathaniel Segal is counsel at Vedder Price and a member of the Investment Services group. He focuses his practice on investment companies and investment advisers in connection with the organization and operation of investment products and services, including traditional mutual funds, closed-end investment companies (including interval funds and listed closed-end funds), variable insurance products and registered hedge funds, as well as mutual funds utilizing complex hedging and absolute return strategies. Mr. Segal has experience in conducting transactional due diligence...

(312) 609 7747
John Marten Investment Attorney Vedder Price Law FIrm

John S. Marten, a Shareholder in the Chicago office of Vedder Price, has substantial experience representing clients in the investment management industry.

As a member of the firm’s Investment Services group, Mr. Marten counsels clients on a wide variety of matters involving the application of the federal securities laws to investment companies, investment advisers and broker-dealers. He has significant experience counseling investment company clients with respect to new products and was recently involved in the creation of two mutual funds...

(312) 609 7753