lawyer

On April 28, the Securities and Exchange Commission (SEC) released a Guidance Update addressing the importance of cybersecurity and the steps registered investment advisers (and registered investment companies) may wish to consider in light of growing cybersecurity risks. This Guidance Update is the latest instance of the SEC s increased emphasis on cybersecurity as a priority for advisers. A Cybersecurity Roundtable was hosted by the SEC on March 26, and the Office of Compliance Inspections and Examinations released a Risk Alert on February 3, 2015 summarizing its cybersecurity examinations of over 100 advisers and broker-dealers.

The Guidance Update provides several measures that advisers may wish to consider when creating a cybersecurity policy. These suggestions are not, however, intended to be comprehensive and advisers should tailor their cybersecurity policies to the particular nature and scope of their businesses.

The Guidance Update suggests that to assist in identifying potential cybersecurity threats and vulnerabilities so as to better prioritize and mitigate risk, advisers should consider conducting a periodic assessment of the following:

• the nature, sensitivity and location of information that the adviser collects, processes and/or stores, and the technology systems utilized;
• the internal and external cybersecurity threats to and vulnerabilities of the adviser s information and technology systems;
• the security controls and processes currently in place;
• the impact on the adviser in the event that the information or technology systems become compromised; and
• the effectiveness of the governance structure for the management of cybersecurity risk.

Cybersecurity Strategy

The Guidance Update also suggests that advisers should consider whether to develop, and routinely test, strategies to prevent, detect and respond to cybersecurity threats. Such strategies could include:

• controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation and system hardening (i.e., removing all nonessential software programs and services, unnecessary usernames and logins and diligently updating software);
• data encryption;
• protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events;
• data backup and retrieval; and
• the development of an incident response plan.

Implementation

The Guidance Update further encourages advisers to implement cybersecurity strategies through written policies and procedures, as well as personnel training. Training of officers and employees should include a discussion of the applicable cybersecurity threats and the measures to prevent, detect and respond to such threats. The Guidance Update suggests advisers should routinely monitor their compliance with the cybersecurity policies and procedures.

The Guidance Update also states that advisers may wish to educate investors and clients about reducing their exposure to cybersecurity risks with respect to their accounts. Furthermore, the Guidance Update suggests that advisers consider assessing the adequacy of the cybersecurity measures employed by their service providers and determine whether their service-provider contracts sufficiently address technology issues and related responsibilities that arise in the case of a cyberattack. A service provider s access to an adviser s technology systems may also grant unauthorized access to sensitive data. Advisers may consider whether insurance coverage related to cybersecurity risks is necessary or appropriate.

Cybersecurity remains a prevalent business concern for advisers, and failure to identify points of vulnerability could result in unexpected cyberattacks. Cybersecurity threats should be addressed through the creation of specific policies and procedures, personnel training and ongoing testing and monitoring. For example, the compliance program could address cybersecurity risk as it relates to identity theft and data protection, fraud and business continuity, as well as other disruptions in service that could affect, for instance, a fund s ability to process investor transactions. When designing, implementing and monitoring cybersecurity programs, the Guidance Update suggests that advisers be mindful of their obligations under the federal securities laws. Advisers should consider continuously assessing cybersecurity risks, tailoring cybersecurity programs to the nature and scope of their businesses and regularly monitoring compliance with such programs. The staff recognizes that it is not possible for an adviser to anticipate and prevent every cyberattack. Appropriate planning to address cybersecurity and a rapid response capability may, nevertheless, assist advisers in mitigating the impact of attacks and any related effects on investors and clients, as well as compliance with federal securities laws.

On April 23, 2015, Washington State Governor Jay Inslee signed into law a bill strengthening the state’s data breach notification law (amending Wash. Rev. Code §§ 19.255.010 and 42.56.590 and creating a new section). H.B. 1078 makes the following substantial changes to the existing law:

In the largest ever data security enforcement action taken by the Federal Communications Commission (FCC), AT T agreed to pay $25 million to resolve an investigation into consumer privacy violations at its call centers in Mexico, Colombia, and the Philippines. The FCC announced  the settlement  on April 8, 2015, stating that phone companies are expected to “zealously guard” their customers’ personal information and encouraging the industry to “look to this agreement as guidance.” Continue Reading

On February 3, 2015, European data protection regulators released the Cookie Sweep Combined Analysis Report analyzing how websites use cookies to collect data from European citizens and highlighting noncompliance with Article 5(3) of the EU’s ePrivacy Directive. Among other requirements, this directive mandates that website operators obtain users’ consent for the use of cookies or similar tracking technologies. Notably, the directive purports to reach beyond the borders of European Union to apply to any website directed to or collecting data from European citizens.

On January 27, 2015 the Federal Trade Commission (the “FTC”) issued a report detailing best practices and recommendations that businesses engaged in the Internet of Things (“IoT”) can follow to protect consumer privacy and security. The IoT refers to the connection of everyday objects to the Internet and the transmission of data between those devices. According to Gartner estimates the IoT services spending will reach $69.5 billion in 2015. The potential benefits of IoT growth include enhanced healthcare through connected medical devices, convenience and cost savings through home automation and improved safety and convenience through connected cars.