Regulatory requirements for cybersecurity diligence investment managers
We all know cybersecurity is a huge hot topic in investment manager due diligence. But do you know what elements of your cybersecurity diligence are required by law, which are fiduciary duties and which are best practice? IMDDA hosted an on-line workshop featuring expert guidance on all 3 areas that you can listen to right away. Or, if you just want to know what the bare bones regulatory requirements are, read on…
What the SEC says
The actual wording of the Securities Act states that an “investment adviser registered with the Commission must adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.”
What that means in the real world
Our panel of experts outlined what to look for as a bare minimum of required standards by law.
1. Know your CISO
It is up to you to know who the CISO is at your own organization, in those of your partners and to diligence their knowledge of the CISO at their own vendors. The SEC says there must be a designated person responsible for the policies and procedures of cybersecurity.
CISO “must-haves”:
- Senior: The designated CISO must be someone senior. They need the knowledge, experience and expertise to properly formulate and implement the policies and procedures around cybersecurity. Not only that, they need the authority to see them implemented effectively.
- Well Known: Everyone actively working on your business at your investment advisor’s firm should know who their CISO is and how to contact them.
- On the Committee: The CISO should also sit on the cybersecurity committee.
2. Quiz the committee
In addition to the CISO, you need to check for the existence and functioning of a cybersecurity committee. The law requires an annual review of the policies and procedures around cybersecurity.
This is the work of the CISO and the cybersecurity committee, so there should be documented evidence (agenda and minutes) of their meetings to do this. At a bare minimum, this should take place quarterly, but ideally monthly and all policy and procedure documentation should have a date within the last 12 months in order to be compliant.
What should be in cybersecurity policies and procedures?
- Governance and risk assessment
- Access rights and controls
- Data loss prevention
- Vendor management
- Training
- Incident response
3. Do the documentation
We’ve discussed checking that there are documents that evidence the existence and update of cybersecurity policies and procedures. In addition to this, you also need to seek documented evidence that these policies and procedures are being implemented effectively:
- Training: Your investment advisor ought to be able to easily provide training reports and materials evidencing how they educate the people in the organization on being compliant with cybersecurity policies and procedures. This training ought to be updated and refreshed regularly as opposed to a one-off occurrence.
- Incident Reports: With over 1.5 million cyber attacks happening each year, it is safe to expect any organization to hold and subsequently provide you with incident reports that evidence their awareness of threats and their response to them.
- Audits: In addition to showing how the organization prepares for and reacts to a cyber threat, you should expect them to demonstrate an ongoing commitment to testing the efficacy of their policies and procedures using regular (annual) audits, which should be documented.
- Third-Party Due Diligence: Finally, in addition to having their own house in order, you should look for evidence that your investment advisor has conducted their own due diligence on third-party vendors.
To get more detail on how to be an effective cybersecurity diligence investment manager, listen to the rest of the webinar here:
