April 12, 2022
9. What are best practices that commenters have developed or are aware of with respect to the types of measures that must be implemented as part of the proposed cybersecurity risk management rules or, alternatively, are there any measures that commenters have found to be ineffective or relatively less effective?
Full-disk encryption or database encryption has been shown to be ineffective at preventing unauthorized access to sensitive data and for enforcement of a zero-trust security strategy. Application-layer encryption (ALE), in which each application individually encrypts and manages access to its own sensitive data, provides greater security.
16. How do advisers and funds reduce the risk of a cybersecurity incident transferring from the service provider (or a fourth party (i.e., a service provider used by one of an advisers or funds service providers)) to the adviser today?
Use of data encryption and key storage solutions offered by a cloud provider places encryption keys under the cloud providers control and at risk of exposure in the event of a security incident. Advisers and funds should use bring-your-own-key (BYOK) encryption options that permit them to manage their own encryption keys for sensitive data stored on cloud platforms.