SEC to Investment Advisers: Cybersecurity Must Be a Comprehensive, Continually Evolving Program

Publish Date


Cyber Alert


  • Cybersecurity

Cybersecurity risk is constantly mutating and growing, posing a particular threat to financial services firms, which are 300% more likely to suffer a cyber-attack than other sectors. Investment advisers are an attractive target to cybercriminals because of the trove of information they hold; clients’ personal and financial data, business strategies, trading models, and portfolio positions are ripe for extortion or theft. 

For investment adviser firms of all sizes, cybersecurity efforts should be more than just a regulatory compliance exercise. To adequately safeguard investor information and assets, cybersecurity efforts need to continually evolve alongside the evolving world of cyber threats. Organizations should put a formal cybersecurity program in place and continuously mature and evolve it as the world of cyber threats evolves. 

This was the topic of discussion between the SEC’s Keith Cassidy, Head of the SEC’s Technology and Controls Program, and ACA Aponix® partner Mike Pappacena, during ACA’s spring conference. They discussed why the threat of a cyber-attack is so acute for investment advisers, how they can best protect themselves and their clients, and what the SEC expects from investment advisers’ cyber programs. Here are some highlights from their conversation. 

Build a firm-wide, holistic cybersecurity program 

While the SEC expects advisers to address risk assessments, penetration testing, business continuity planning, third-party diligence, phishing prevention training, and more, Cassidy stressed that these must be components of a larger program that is regularly reviewed and updated to address the latest developments in the cybersecurity world. 

Simply put, investment advisers need to treat cybersecurity as a firm-wide, board-approved, policy-mandated, holistic cybersecurity effort. Here’s how: 

Review, test, and update policies, procedures, and documentation continually 

Written information security plans, incident response plans, business continuity plans, and related documents should be reviewed, updated, and approved on a regular basis. 

Conduct regular, tailored risk assessments and penetration tests 

Risk assessments tailored to the size of the firm should be conducted every 6 to 12 months, and any gaps or deficiencies should be addressed. Risk assessments should be supplemented with penetration tests that are tailored to the firm. The frequency depends on the complexity of the firm’s network and the number of end users – for some firms this should be done annually, for others, every three years. 

Don’t forget third parties and portfolio companies 

Third-party service providers should be contractually obligated to adhere to the firm’s cyber policies. Private fund managers should extend their cyber programs to their portfolio companies. 

Don’t just set it and forget it 

Investment advisers of all sizes need to not only build a cybersecurity program, but make sure that it adapts and evolves.  

  • Ensure buy-in for cybersecurity across the firm - Get the board and senior management involved and engaged in understanding and championing cyber-readiness.  
  • Tailor your cybersecurity programming to your firm - Conduct risk assessments, penetration tests, and more at a right-sized level for your firm. Make sure they are done by a reputable firm that understands your organization’s unique business operations and risks. 
  • See cybersecurity as a continuing, evolving effort - This is not a one-and-done effort. Build in regular reviews, testing, and updates of policies, incident response plans, etc. to ensure continued protection. 

How we help 

ACA Aponix® can help your firm build a comprehensive cybersecurity program to protect against evolving ransomware attacks and other cyber threats. We offer a range of services, including: 

If you have any questions, please contact your ACA Aponix consultant or contact us here.