Late Wednesday afternoon, private equity real estate CFOs gathered at the Westin Hotel in Manhattan to hear Chris Hetner, the US Securities and Exchange Commission’s newly appointed lead on cybersecurity-related exam initiatives, discuss the commission’s attitude towards cybersecurity oversight.
After listing the various regulations justifying the agency’s right to review registrants’ cybersecurity readiness, including Rule 30 of Regulation S-P requiring advisors to safeguard client data and the SEC’s identity theft rule, Hetner explained that cybersecurity readiness is a fluid concept measured by a firm’s “reasonable attempt to address cybersecurity threats based on the risks they face.”
There’s “no single right solution to cybersecurity” and the SEC doesn’t want to “micromanage or mandate any particular technology,” Hetner said during a question and answer session with delegates at the 2015Private Equity Real Estate CFOs and COOs Forum in New York.
In 2014, the commission launched a cybersecurity sweep to determine registrants’ cybersecurity readiness, later releasing its findings for GPs to use as a benchmarking tool. A second sweep is expected later this summer.
Similar to other exam initiatives, Hetner said the cybersecurity sweep will use a risk-based approach (as well as tips and complaints submitted by insiders). SEC visits “may be announced or unannounced,” but if announced, a letter will be sent requesting specific documents from the firm, Hetner said.
What the SEC wants
During the Q/A, a delegate asked what common errors the commission discovered during its cybersecurity sweep. Hetner responded that firms often fail to appreciate the seriousness of a cybersecurity attack until it happens in real-time “when it’s too late to safeguard client data.”
He also said it was poor practice to “just make a blanket investment on cybersecurity” without knowing where the firm stores its most sensitive data and critical assets within the IT infrastructure.
“The first question I ask business leaders is ‘Where are your key assets from an IT perspective?’ And ‘How can you successfully manage cybersecurity program without knowing what to protect?’”
On the question of appointing a chief information security officer, Hetner said the commission doesn’t have a “prescriptive set of cybersecurity rules,” nor does it want to, instead realizing that each firm will “right-size their approach” and be evaluated on “what’s reasonable” based on their vulnerability to hackers, level of resources and overall commitment to protecting their digital networks.
“We don’t want to create any check-the-box exercise here. But what we do want is for senior management to be actively engaged in cybersecurity matters and recognize that greater board involvement on their part gives them a sense of accountability on the issue,” he said at the forum.