While there is no “cybersecurity rule” for SEC-registered investment advisers, the SEC does expect you to have something in place. Your policies and procedures must be “reasonably designed to identify, detect, and prevent violations” of the Advisors Act, similar state rules, and other mandates.
Investment adviser firms have a wide array of cybersecurity policies. The length and subject matter depend on the size of the firm, geographic reach, number of personnel and so forth.
Some investment advisers have one or more internal IT employees, and some outsource the function. There is no right or wrong. How you structure your technology and software is up to you.
That notwithstanding, a cybersecurity breach can lead to a violation of rules. For example, a breach can cause the theft of your customers’ personally identifying information. If that happens, that’s a potential violation of Regulation S-P, the compliance rule and a breach, no pun intended, of fiduciary duty.
“Small” investment adviser firms do not have the resources, time, or money to invest in an IT department. Just as with compliance or accounting, outsourcing is a good way to go. Even “big” RIAs outsource at least one thing.
If you don’t know what you’re doing in this area, there are a number of basic, overarching questions you can ask and, hopefully, answer to get your firm on the right track towards a reasonable and practical cybersecurity protocol.
Yes, I wrote “cybersecurity protocol” and not “policy.” Keep reading and you will know the reasons.
As the first paragraph discussed, your cybersecurity protocol should be reasonable. But why should it be practical? Isn’t that a distinction without a difference?
My first attempt to be funny will show the difference. Suppose your firm had a rule that required all employees to write in pencil. To discourage the use of pens, your policy may be to disallow pens in the office. That policy would be “reasonably designed” to prevent violations of the Pen and Pencil Act of 2021.
But the policy would have to be followed. We all know unruly employees will “accidently” have a pen somewhere on person. It would be practical to tell employees to reject all documents that are written in pen. Not only does that allow for human error, but it would also take at least two people for the “no pen rule” to be violated.
Not only that, but it is also useful. Rejecting all documents written in pen integrates your company’s processes into the rule.
Can we translate this into something related to cybersecurity? Absolutely we can.
We all know that we need to keep both client data and our passwords secure. But no one has a policy stipulating that documents that contain client data cannot exist or be in the office. Similarly, stipulating that passwords cannot be written down is not a practical policy. If client data on someone’s desk is allowable, passwords can be written down. Those passwords can be used to access that client data, so there is no real difference.
This doesn’t mean lists of passwords should be wantonly lying around, but a list of passwords secured in a drawer and locked away with client documents is not only a reasonable safeguard, it is practical and reflective of our day-to-day reality.
That reality is having more passwords than most people can remember. So, don’t overthink your cybersecurity protocol. Now, onto those reasons for calling it a “cybersecurity protocol.”
First, the phrase more accurately describes the purpose of the document. Second, it grabs attention since policies buried in a stack of other documents are often forgotten or ignored. Third, it’s a stronger word than “guidelines.” When people see “guidelines” they see “optional.” Fourth, I just like it.
