Articles Tagged with Cybersecurity Risks

Published on:

By

SEC Risk Alert regarding safety of customer records and cloud vendor diligence.

As part of its cybersecurity sweep, the SEC has examined risks related to the storage of customer records and information by investment advisers on cloud-based storage platforms and issued a Risk Alert, “Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features.” The sweep focused on vendor due diligence and oversight and registered advisers’ monitoring of data and customer information safety.  Among other information, OCIE sought vendor contracts (including service level agreements); vendor reviews; risks assessments of cloud service providers, including data encryption, data loss prevention, books & records exposure, identity and access management; and policies and procedures and their alignment to technology standards.

The Risk Alert identified as the main compliance issues related to cloud-based storage (i) Misconfigured network storage solutions (inadequately configured security settings to protect against unauthorized access; lack of policies and procedures addressing the security configuration);  (ii) Inadequate oversight of vendor-provided network storage solutions (lack of, or inadequate, policies, procedures, contractual provisions that security settings on vendor-provided network storage solutions were configured in accordance with the firm’s standards); and (iii) Insufficient data classification policies and procedures (firms’ policies and procedures did not identify the different types of data stored electronically by the firm and the appropriate controls for each type of data).

The Risk Alert encourages investment advisers to review their practices, policies, and procedures with respect to the electronic storage of customer information and to consider any necessary improvements, and to actively oversee vendors.  The SEC included helpful recommendations for cyber/cloud risk management, including the implementation of policies and procedures designed to support the initial installation, on-going maintenance, and regular review of the network storage solution; guidelines for security controls and baseline security configuration standards to ensure that each network solution is configured properly; and vendor management policies and procedures that include, among other things, regular implementation of software patches and hardware updates followed by reviews to ensure that those patches and updates did not unintentionally change, weaken, or otherwise modify the security configuration.

Please contact your counsel at Pillsbury’s Investment Funds Group if you need help with reviewing and enhancing your cloud storage and related policies.

Published on:

By

The ERISA Advisory Council recently announced that, as part of its goals for 2016, it will be focusing on cybersecurity issues affecting retirement plans and, in particular, the extent to which such issues relate to third-party administrators and vendors (TPAs) of retirement plans. By shining the spotlight on the role of TPAs in combatting cyber-related threats to retirement plans, this announcement
demonstrates that retirement plan sponsors would be well-served to proactively assess the cyber risk profiles of their retirement plans. Specifically, retirement plan sponsors should focus on developing and implementing a comprehensive and effective risk management strategy that includes, among other actions, the implementation and periodic review of contractual protections in arrangements
with their plans’ TPAs.

This advisory is the second in a series of advisories dedicated to understanding cybersecurity issues.

READ MORE . . .

Read this article and additional publications at pillsburylaw.com/publications-and-presentations.  You can also download a copy of the Client Alert here.

Published on:

By

Investment managers, particularly high priority cybercrime targets, such as hedge funds and quantitative strategy managers, are encouraged to consider the government-industry information sharing option and liability protection afforded by the new legislation.  For more information, please contact the Investment Fund and Investment Management group.

On Tuesday, October 27, the U.S. Senate approved legislation, strongly supported by business groups, that would facilitate information sharing between government and industry and provide liability protection to companies that participate. The Cybersecurity Information Sharing Act of 2015 (CISA) passed the Senate by a bipartisan vote of 74-21, setting the stage for a House-Senate conference committee that will work to resolve differences between CISA and similar legislation passed by the House in April and to prepare a final bill to be considered by both chambers of Congress for potential enactment into law.

READ MORE…

Read this article and additional publications at pillsburylaw.com/publications-and-presentations.  You can also download a copy of the Client Alert.

Published on:

By

On February 3, 2015, the Securities and Exchange Commission (“SEC”) released two publications addressing cybersecurity at advisory and brokerage firms. The first publication, a Risk Alert, relays the findings from the examinations of more than 100 investment advisers and broker-dealers and focuses on how they: (i) establish cybersecurity policies, procedures and oversee the processes; (ii) identify cybersecurity risks; (iii) protect information and networks; (iv) identify and address the risks associated with funds transfer requests, remote access to client information and third-party vendors; and (v) detect activity that is unauthorized.  The SEC’s Office of Investor Education and Advocacy released the second publication which provides tips for investors to better safeguard their online investment accounts. Their recommendations include using a strong password and a two-step verification process.

The SEC’s recent examinations found 93% of examined broker-dealers and 83% of examined investment advisers have adopted cybersecurity policies, though, whereas 89% of the broker-dealers periodically audit compliance with the policies, only 57% of investment advisers conduct periodic cybersecurity compliance audits.  The SEC continues to place high importance on cybersecurity and every broker-dealer and investment adviser should ensure they have adequate written policies and procedures in place and test them periodically.