be  considered  once  a  firm  has  achieved  a  certain  level  of  AUM  or  funding  –  cybersecurity  is  a  top
            consideration for firms of all sizes, and the SEC will not differentiate based on size.

            A cautionary tale can be found in EyeMed, an Ohio-based vision care benefits company that was required
            to pay a $4.5 million fine for failing to conduct a necessary risk assessment and violating the New York
            State Department of Financial Services cyber rules. This costly mistake could have been avoided had
            they conducted ongoing vulnerability assessments and implemented a multifactor authentication process
            for  their  email  system.  In  addition  to  the  fine,  EyeMed  was  given  three  months  to  conduct  a  risk
            assessment and provide the regulator with a clear plan to improve its cybersecurity practices to avoid
            serious mistakes in the future.

            The EyeMed incident shows that cybersecurity is a compounding issue that cannot be solved overnight.
            It requires firms to take charge and create comprehensive, technical and actionable plans that can be
            quickly executed so firms can stay one step ahead of looming threats. The key piece of preparation for
            SEC compliance is in “owning” a firm’s cybersecurity. Technology solutions can make this process easier
            for  firms  and  empower  them  to  take  a  proactive  approach  to  their  cybersecurity  defenses,  such  as
            implementing data flow mapping to perform in-depth vulnerability analysis. These types of solutions are
            not  only  required  for  regulatory  compliance,  but  also  vital  to  protect  the  integrity  of  the  data  and
            information firms deal with daily.

            While  certain  technical  controls  like  policies,  risk  assessments  and  cybersecurity  training  can  be
            outsourced, there are additional actions that firms will be required to complete, including:

               •  Internal team training to comply with the proposed 48-hour incident reporting deadline
               •  Data  flow  mapping  to  understand  vulnerabilities  and  enable  firms  to  implement  the  required
                   mitigation tactics
               •  Board reporting on the fund’s current and future cybersecurity preparedness ownership becomes
                   particularly important in this case.



            Many firms historically left cybersecurity in the hands of IT providers or MSPs, particularly those firms
            without a CISO. That is no longer adequate. Cybersecurity today must be reviewed to protect sensitive
            data and information and prevent the significant cost of non-compliance. The stakes are even higher in
            the face of the new SEC regulations, and firms that fail to incorporate cyber into their strategic business
            operations and budgets may end up paying for it elsewhere, both in fines and in the loss of consumer
            trust.

            Ensuring  a  firm’s  effective  cyber  posture  is  not  an  overnight  process  –  it  requires  ongoing  risk
            assessments and an actionable road map to identify existing vulnerabilities and correct for the future.
            With appropriate planning, technological investment and empowerment from board members, firms will
            be able to meet and exceed the SEC guidelines – and become proactive in their fight to protect against
            cyberattacks.








                                                                                                             117