SEC Releases Cybersecurity Guidance

On April 28th, 2015, the SEC’s Division of Investment Management (the “Division”) released a Guidance Update titled Cybersecurity Guidance (the “Guidance”) to help registered investment companies (“funds”) and registered investment advisers (“advisers”) assess and address their cybersecurity risks. The guidance emphasizes that both advisers and funds have become increasingly dependent on technology to conduct their business activities and as such there is a responsibility to protect confidential and sensitive information related to these activities.  The guidance further highlights the importance of cybersecurity and outlines reasonable security measures funds and advisers can take in order to reduce the cybersecurity risks.

The Division urges funds and advisers to review their cybersecurity strategy, identify their obligation under the federal securities laws and assess their ability to prevent, mitigate, detect and respond to cybersecurity incidents. Although the Guidance is fairly broad and high-level, it does outline a three-step approach that funds and advisers should consider when developing their cybersecurity strategy or addressing their cybersecurity risk. The steps set forth in the Guidance are:

  1. Conduct periodic assessment of: (i) information collected by the business, (ii) threats and vulnerabilities to information and technology systems (iii) security controls currently in place;  (iv) potential impact to systems should an incident occur; and (v) overall IT governance strategy;
  2. Design a cybersecurity strategy to prevent, mitigate, detect and respond to cybersecurity incidents;
  3.  Implement that cybersecurity security strategy through written policies and procedures, internal personnel training and external client education.

Gravitas encourages you to read the entire cybersecurity guidance at: and take the necessary steps to begin assessing your compliance with the strategy outlined in the Guidance.

As you go through your assessment process, keep in mind that as a Gravitas client you are already provided with the best-of-breed risk management technologies and security advisory services best suited to protect your business, the information you collect and your technology systems. We are also committed to helping you exceed expectations of regulators and investors. As such, we will always work with you to review and improve your cybersecurity strategies as required by the Division’s Guidance.

Additionally, we can tailor a specific security advisory service for you that offers a holistic approach to risk management and compliance and is also well-aligned with the principles outlined in the Guidance.  If you have questions regarding the Division’s Guidance or would like to learn more about security advisory services available to you as a Gravitas client, please contact your relationship manager.

For more information, please contact Omar McKenzie, Gravitas' Chief Information Security Officer, at