SEC’s Division of Investment Management Releases Cybersecurity Guidance: Guidance Highlights the Importance of Cybersecurity for Funds and Advisers and Suggests Measures To Consider When Addressing Cybersecurity Risks

Sullivan & Cromwell LLP - April 30, 2015

On April 28, 2015, the Securities and Exchange Commission’s Division of Investment Management released cybersecurity guidance (the “Guidance”) for registered investment companies (“funds”) and registered investment advisers (“advisers”).  The Guidance explains that the Division has identified the cybersecurity of funds and advisers as an important issue and discusses various cybersecurity risks and measures to be considered when addressing those risks.  The principal recommendations are for funds and advisers to consider, as appropriate: (1) periodic assessments of cybersecurity threats and vulnerabilities, (2) a prevention, detection and response strategy, and (3) policies, procedures, training and education.  The Guidance is clear that these suggested measures are not intended to be comprehensive, and that funds and advisers should determine whether these or other measures need to be considered.

While the Guidance acknowledges that “it is not possible for a fund or adviser to anticipate and prevent every cyber attack,” it warns that cybersecurity risks can contribute to a violation of the federal securities laws by the fund or adviser.  The Guidance also provides that “because of the rapidly changing nature of cyber threats, the Division will continue to focus on cybersecurity and monitor events in this area.”