By: Matt Baskir

It should come as no surprise that every annual and examination priorities release by the SEC focuses on cybersecurity practices, weaknesses and deficiencies. The pandemic has only brightened the spotlight on firm’s information security and operational resiliency practices (along with business continuity, supervision, privacy and various other areas). The SEC has released targeted observations relating to cybersecurity  as well.

There are common themes that we see in each of these releases:

  • Risk assessments
  • Testing and monitoring – both internal and external
  • Collaboration and communication between firm departments relating to cyber risks
  • Access rights and management
    • Secure access and VPN use
    • Multi-factor authentication (“MFA”)
    • Equipment and software inventory and rights termination
    • Bring your own device (“BYOD”)
    • Anti-virus software and firewalls
    • Patch management and password practices
  • Secure transmission of sensitive information/encryption
  • Data backup
  • Phishing and Ransomware
  • Training
  • Information barriers
  • Incident response

We’ve also seen similar guidance released recently on cloud computing and vendor management and the requisite oversight that firms need to discharge to protect confidential information and assess vendor systems and internal controls. So, it came as no surprise last month when the SEC announced sanctions on eight firms for cybersecurity program failures that resulted in client information being compromised. The resounding message – it’s not enough to draft cybersecurity policies with enhanced protections (i.e. MFA)… you have to follow those policies and actually implement the security measures. And, if you haven’t updated your cybersecurity policies to add such protections, you should do so ASAP…

Financial firms, large and small, are all subject to cyber threats. Every firm must evaluate its exposure and the risks specific to its business and operations, dedicate sufficient resources and personnel, conduct training and implement solutions to protect confidential information and the firm’s business from threats that could have significant and sometimes catastrophic consequences.

Nottingham takes cybersecurity seriously and we have an internal department composed of experts with decades of experience in information security and operational resiliency for the investment companies and clients that we serve. We also have a firm understanding of what’s expected of investment advisers in terms of cybersecurity practices from a compliance perspective. Cyber threats grow more complex by the day – now is the time to take action to protect your business and clients.

If you have any questions about cybersecurity issues, 40 Act or Advisers Act compliance, starting a fund or other compliance or consulting solutions, please don’t hesitate to reach out.

The information contained herein is made available only for your assistance and convenience and for informational purposes. Nothing herein is designed to provide, and does not constitute, legal advice on any matter and should not be relied upon for that purpose. Any opinions included herein are those of the author and not attributable to the Nottingham Company, its management or affiliates.