What can your firm or fund do today to minimize the work required when the SEC Cybersecurity Rule becomes final this year?

If you wish to recap or missed the live sessions, please visit the recordings on our page here.

While we await the final decision that is due in October 2023, preparation to comply with the new regulation should begin now in order to show a track record of cybersecurity governance and of course to strengthen your defenses against rising cyber threats. Those firms that have significant gaps in their cyber program will find adoption by their staff more accepting than risking a ‘big bang’ approach. For some this can be a major cultural and behavioral shift, and takes time to have real and lasting effect

Below is a summary of the key takeaways from the webinar series. As always, Drawbridge is ready to assist you with your cyber requirements as we do with 1,100 clients in the alternative investment management space.

Risk assessment

  1. Perform a “Cyber Risk Assessment” on the business and learn where your greatest risks and vulnerabilities for cybersecurity lie.
  2. Third parties that handle your confidential staff, investor, trades and holdings data, must undertake a “Vendor Risk Assessment” process. This may include IT, HR, Fund Administration, Legal, etc.
  3. “Cloud Security Assessments” are suitable for firms that wish to verify their cyber risk findings, taking a ‘trust but verify’ approach to your core technology platform, such as Microsoft 365 or Google Workspace.
  4. Begin maintaining your records now to comply with the Record Keeping requirement of 5 years. This will include risk assessments as well as policies, reports, incidents, etc.

User awareness and training

  1. Ensure either your information security policy or employee handbook contain an acceptable use policy that applies to all staff.
  2. Prepare clearly defined roles and responsibilities for the positions in the firm that manage cybersecurity and incident response.
  3. Employ an awareness training program that focuses on the risks your business faces and includes phishing tests. Employees represent one of the largest attack surfaces and behavioral changes are critical to protecting the firm.
  4. If applicable, look to tailored training for key risk business departments (e.g. Software Development teams should have targeted training towards cyber risks in software development).

Vulnerability management

  1. Deploy a vulnerability scanning solution that is suitable for the technical environment.
  2. Develop a patch management and mitigation policy with matching procedures for the business (and IT provider) to adhere to. Include how you will review the progress the team makes.
  3. If it is identified during your risk assessment or as a requirement by Investors/Allocators, perform appropriate Penetration Test(s).

Written cyber policies and procedures

  1. Do you have written policies and procedures in place?
  2. Have you reviewed your firms’ policies and procedures in the past 12 months?
  3. Are procedure items (annual assessments, quarterly phishing, etc.) outlined in your policies part of your compliance calendar?
  4. Have you considered the impact the new regulatory requirements will have on your policies and procedures, including new board oversight requirements?

Incident response

  1. Do you have an Incident Response Plan (IRP)?
  2. Have you reviewed your firms’ IRP in the past 12 months?
  3. Are you testing the effectiveness of your IRP annually?
  4. Do you have the documentation to evidence your testing?
  5. Have you considered the impact the new cybersecurity reporting requirements could impact your Firm in the event of a breach?