WATCH WEBINAR REPLAY:
Speakers from Stradley Ronon & Omega Systems discussed the proposed Cybersecurity Risk Management rules and what to expect next from the SEC. Click here to watch.
In an effort to stress the critical nature of cybersecurity protections, the Securities and Exchange Commission (SEC) proposed new requirements in February 2022 for registered investment advisers which would mandate significant enhancements to an organization’s cybersecurity posture. Proposed changes would also include stringent requirements for disclosure and recordkeeping following a cybersecurity incident.
Updated 05/2024: The SEC has delayed a final vote (again) until October 2024.
Per the SEC’s proposal, financial firms – including RIAs, investment companies and business development companies – would be required to:
Under the current proposal, registered investment advisers will be required to report “significant” cybersecurity incidents within 48 hours of determining such an incident has occurred or is actively occurring. On Form ADV-C, advisers would need to provide detailed information regarding:
In addition to alerting the SEC of significant new cybersecurity incidents, investment funds and advisers would be required to amend Form ADV Part 2A to disclose material risks to current and prospective clients “if there is a substantial likelihood that a reasonable client would consider the information important.” The rule would also require “ an adviser to deliver interim brochure amendments to existing clients promptly if the adviser adds disclosure of a cybersecurity incident to its brochure or materially revises information already disclosed in its brochure after such an incident.”
The SEC’s proposed changes would require financial firms to adopt and implement policies and procedures to address ongoing cybersecurity risk management. While advisers should customize policies and procedures to fit the specific nature of their business and unique cyber risks, the SEC would require the following elements:
Policies will need to be reviewed and updated on an annual basis.
Lastly, the proposal would amend the “books and records” rule and require companies to maintain records related to the above requirements including copies of cybersecurity policies and procedures, copies of risk assessments, copies of cybersecurity incident reports and records documenting annual reviews of the aforementioned policies and procedures.
Although as of this article’s publish date the SEC has yet to finalize their requirements, it is widely expected that the SEC will pass cybersecurity rule changes in some form. The SEC already passed cybersecurity and disclosure changes for public companies earlier this year.
These proposals are consistent with the financial industry’s increasing vigilance with regard to cybersecurity, and as such, firms should begin preparing now for what’s to come. Alternative investment firms and registered advisers should begin to evaluate their current programs and investments with regard to:
The SEC’s initial vote on the above changes took place on February 9th, 2022, before undergoing an initial public comment period. In March 2023, the SEC formally re-opened the public comment period on the proposed rule, and since then the expected vote timeline has been delayed multiple times. A decision is now expected in October 2024.
If you’d like to speak with Omega’s cybersecurity team to review your current protections and discuss a proactive plan to address any forthcoming SEC requirements, please contact us today.