How Financial Firms Can Prepare for the SEC’s Cybersecurity Requirements

Earlier this year, in an effort to stress the critical nature of cybersecurity protections, the Securities and Exchange Commission (SEC) proposed new requirements for registered investment advisers which would mandate significant enhancements to an organization’s cybersecurity posture. Proposed changes would also include stringent requirements for disclosure and recordkeeping following a cybersecurity incident.

Per the SEC proposal released in February of 2022, financial firms – including RIAs, investment companies and business development companies – would be required to:

• Disclosure a “significant adviser cybersecurity incident” within 48 hours of identification;
• Provide updates to clients regarding any previously reported cybersecurity incidents;
• Provide written policies and procedures related to cybersecurity risk management;
• Review and update written policies and procedures annually; and
• Maintain records of all policies, written rules and cybersecurity-related reports and disclosures.

Incident Reporting within 48 Hours

Under the current proposal, registered investment advisers will be required to report “significant” cybersecurity incidents within 48 hours of determining such an incident has occurred or is actively occurring. On a new line item that would be added to Form ADV Part 2A, advisers would need to provide detailed information regarding:

• Entities or investors affected by an incident;
• The current status of an incident and when it was first discovered;
• If data or sensitive information was stolen, altered or accessed without authorization;
• How the incident affected or continues to affect the adviser’s operations;
• If the incident has been remediated or is currently being remediated by the adviser or its service provider; and
• Whether the incident is covered under a cyber liability insurance

Disclosure of Cybersecurity Risks and Incidents

In addition to alerting the SEC of significant new cybersecurity incidents, investment funds and advisers would be required to amend Form ADV Part 2A to disclose material risks to current and prospective clients “if there is a substantial likelihood that a reasonable client would consider the information important.” The rule would also require “ an adviser to deliver interim brochure amendments to existing clients promptly if the adviser adds disclosure of a cybersecurity incident to its brochure or materially revises information already disclosed in its brochure after such an incident.”

Cybersecurity Risk Management Rules

The SEC’s proposed changes would require financial firms to adopt and implement policies and procedures to address ongoing cybersecurity risk management. While advisers should customize policies and procedures to fit the specific nature of their business and unique cyber risks, the SEC would require the following elements:

• Periodic Risk Assessments: Written, periodic assessments of cybersecurity risks, including third-party service providers that receive, maintain, process or have access to an adviser’s information or information systems
• User Security and Access: Written controls designed to prevent unauthorized internal and external access to sensitive information and information systems
• Information Protection: Periodic assessment and monitoring of information systems to prevent unauthorized access as well as oversight of service providers
• Threat and Vulnerability Management: Written policies that address processes for detecting, mitigating and remediating cybersecurity threats and vulnerabilities
• Incident Response and Recovery: Written policies and procedures that address processes for detecting, responding to and recovering from a cybersecurity incident

Policies will need to be reviewed and updated on an annual basis.

Recordkeeping

Lastly, the proposal would amend the “books and records” rule and require companies to maintain records related to the above requirements including copies of cybersecurity policies and procedures, copies of risk assessments, copies of cybersecurity incident reports and records documenting annual reviews of the aforementioned policies and procedures.

Next Steps

Although as of this article’s publish date the SEC has yet to finalize their requirements, it is generally expected that significant changes are forthcoming. In addition to the proposal outlined above, the SEC released a second set of proposed changes in March 2022 that would impact public companies and enforce strict disclosure and governance procedures.

These proposals are consistent with the financial industry’s increasing vigilance with regard to cybersecurity, and as such, firms should begin preparing now for what’s to come. Alternative investment firms and registered advisers should begin to evaluate their current programs and investments with regard to:

• IT/Cybersecurity Budget. To support a sophisticated and compliant cybersecurity risk management program, many companies will likely need to increase their overall investment in IT and cybersecurity, including the implementation of new technologies such as advanced threat protection and incident monitoring (SIEM).
• Staff/Outsourced Support: Whether internally or through an outsourced managed security service provider (MSSP) – or a combination of both – companies will need to consider staffing increases to support ongoing cyber risk management and incident reporting requirements.
• Policy Development and Maintenance: The creation, enhancement and maintenance of written policies and procedures under the SEC’s proposed rules will require significant effort on the part of registered companies. It would be wise for companies to rely on a trusted third party to ensure controls and measures are aligned to the SEC’s expectations and reviewed periodically to reflect ongoing changes to infrastructure, operations and business risks.