While we await the final decision that is due in April 2024, preparation to comply with the new regulation should begin now in order to show a track record of cybersecurity governance and of course to strengthen your defenses against rising cyber threats.
Alternative Investment and Wealth Managers that have significant gaps in their cyber program will find adoption by their staff more accepting than risking a ‘big bang’ approach. For some this can be a major cultural and behavioral shift, and takes time to have real and lasting effect.
Below is a summary of the key checkbox items that are part of any preparation for the SEC Cyber Rule. As always, Drawbridge is ready to assist you with your cyber requirements as we do with 1,000+ clients in the Alternative Investment Management space.
Risk assessment
- Perform a “Cyber Risk Assessment” on the business and learn where your greatest risks and vulnerabilities for cybersecurity lie.
- Third parties that handle your confidential staff, investor, trades and holdings data, must undertake a “Vendor Risk Assessment” process. This may include IT, HR, Fund Administration, Legal, etc.
- “Cloud Security Assessments” are suitable for firms that wish to verify their cyber risk findings, taking a ‘trust but verify’ approach to your core technology platform, such as Microsoft 365 or Google Workspace.
- Begin maintaining your records now to comply with the Record Keeping requirement of 5 years. This will include risk assessments as well as policies, reports, incidents, etc.
User awareness and training
- Ensure either your information security policy or employee handbook contain an acceptable use policy that applies to all staff.
- Prepare clearly defined roles and responsibilities for the positions in the firm that manage cybersecurity and incident response.
- Employ an awareness training program that focuses on the risks your business faces and includes phishing tests. Employees represent one of the largest attack surfaces and behavioral changes are critical to protecting the firm.
- If applicable, look to tailored training for key risk business departments (e.g. Software Development teams should have targeted training towards cyber risks in software development).
Vulnerability management
- Deploy a vulnerability scanning solution that is suitable for the technical environment.
- Develop a patch management and mitigation policy with matching procedures for the business (and IT provider) to adhere to. Include how you will review the progress the team makes.
- If it is identified during your risk assessment or as a requirement by Investors/Allocators, perform appropriate Penetration Test(s).
Written cyber policies and procedures
- Do you have written policies and procedures in place?
- Have you reviewed your firms’ policies and procedures in the past 12 months?
- Are procedure items (annual assessments, quarterly phishing, etc.) outlined in your policies part of your compliance calendar?
- Have you considered the impact the new regulatory requirements will have on your policies and procedures, including new board oversight requirements?
Incident response
- Do you have an Incident Response Plan (IRP)?
- Have you reviewed your firms’ IRP in the past 12 months?
- Are you testing the effectiveness of your IRP annually?
- Do you have the documentation to evidence your testing?
- Have you considered the impact the new cybersecurity reporting requirements could impact your Firm in the event of a breach?
You don’t need to prepare for the final SEC Cyber Rule alone. If you’re interested in a 30-minute review session on SEC cyber preparation, reach out to one of our representatives today.