Latest SEC Cybersecurity Guidance: 3 Critical Questions for Fund Managers

In Brief

• New SEC guidance add a layer of documentation and recordkeeping to existing cybersecurity requirements.
• Fund managers should consider where and how they’re managing research and data.
• A centralized research management system is a simple, powerful step in the right direction.

SEC Cybersecurity Guidance: The Latest

On February 9, 2022, the U.S. Securities and Exchange Commission (SEC) voted in favor of new rules regarding cybersecurity risk management for registered investment advisers and investment companies.

“The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.” —SEC Chair Gensler

Among other things, the cybersecurity rules would require:

• Registered advisers to implement written cybersecurity policies and procedures and document proof of compliance program reviews.
• Registered advisers to report any significant cybersecurity incidents to the SEC.

The proposed new guidance would also set forth further recordkeeping requirements for fund managers. The SEC’s goal: to protect investors and maintain orderly markets by improving the availability of cybersecurity-related information and to help facilitate SEC inspection and enforcement.

Existing SEC guidelines and requirements regarding cybersecurity compliance already touch many components of a fund manager’s business, including:

• Data management
• Electronic recordkeeping
• Communication monitoring
• On-demand data retrieval, visibility, and control

The new rules only add to the above areas of focus.

SEC Cybersecurity & Monitoring: 3 Questions for Fund Managers

In terms of complying with the new cybersecurity rules, investment advisers will need to focus on the details by putting in place a written plan to ensure their team members are following appropriate information security best practices and firm-level protocols across the board.

One way to get ahead of this is for advisers to implement a centralized, secure research management system to serve as a system of record for all sensitive notes, documents, and data.

Here are some questions fund managers should consider.

Do You Know All the Apps Your Front Office Is Using for Research?

Fund managers that allow investment teams to use a collage of technology tools — sometimes with little oversight — will have difficulty tracking which of those applications have had any significant cybersecurity incident.

At first blush, cobbling together a mix of “prosumer” tools such as Evernote and Dropbox may seem the path of least resistance, but there are pitfalls regarding security and data ownership with this approach.

Having one platform that provides best-in-class productivity and collaboration tools, across a suite of mobile apps, a web app, and add-in integrations lessens the above risks. Investment teams can capture new ideas and information, manage and share documents with colleagues — all within a single system of record and without asking your team to a sacrifice usability.

Are App Vendors Reporting When Incidents Occur? Would You Know if They Did?

Chances are that most companies are reporting significant cybersecurity risks and incidents to their users but there’s the question of knowing which companies’ announcements to follow.

For many clients who have implemented the VerityRMS platform, senior technology and compliance team members have noted they hadn’t always been sure which apps their analysts and PMs were using – they came to Verity to improve front-office workflows, as well as to centralize internal research assets in one easy-to-monitor system.

By giving investment teams the right tools, purpose-built for the investment management industry, investment advisers make sure their technology is providing state-of-the-art infrastructure, including best-in-class hosting and encryption services. At Verity, we leverage Amazon Web Services (AWS) for this purpose and layer-on several advanced access controls if desired. When customers want to host privately, we support that too.

Can You Aggregate Research — Quickly & Easily — If/When the SEC Requires?

Aside from security incidents, fund managers will need to be able to respond quickly and comprehensively to SEC discovery requests.

Does your process have the necessary cohesion to build the full story of your investment process? If your firm is utilizing a combination of a shared drive, Outlook folders, and a “bring your own” approach to productivity tools, this is going to be difficult and time-consuming.

Advisers will be better prepared, and more ready to respond, if their firms already have a centralized repository of research and data that’s easy to search and/or filter down to just that which is of interest to the regulators at any given time.

Bottom Line

New cybersecurity guidance from the SEC will continue to be more stringent and specific. Registered investment advisers need to be increasingly diligent and prepared.

How We’re Helping at Verity

With VerityRMS, you have a partner to help you keep data safe and make sure your research is following the latest cybersecurity best practices.

With an intense focus on user experience and driving high adoption rates of the VerityRMS platform, we’re giving analysts and portfolio managers the functionality they need to capture, consume, collaborate, and act on their investment research faster and more consistently. Of course, all the while, fund management technology and compliance professionals have peace of mind that their firms’ most precious assets — their internally generated intellectual capital — is safe and secure.

Schedule your demo today to learn more about how VerityRMS offers:

• State of the art infrastructure utilizing best-in-class hosting and encryption.
• Suite of front-office research tools including a web app and mobile apps for iOS and Android.
• Integrations with productivity tools such as Microsoft Office, Adobe, and more.
• Advanced access controls: 2FA, SSO, IP whitelisting, download restrictions, and more.
• Time-accurate versioning (recordkeeping) with advanced search, filtering, and reporting.
• Support for custom workflows: monitoring and reporting all analyst interactions and research-oriented comms
• Regular third-party penetration tests (PenTests), which we can share in summary with clients upon request.