How RIAs & Financial Firms Can Prepare for SEC Cybersecurity Compliance

WATCH WEBINAR REPLAY:

Speakers from Stradley Ronon & Omega Systems discussed the proposed Cybersecurity Risk Management rules and what to expect next from the SEC. Click here to watch.

In an effort to stress the critical nature of cybersecurity protections, the Securities and Exchange Commission (SEC) proposed new requirements in February 2022 for registered investment advisers which would mandate significant enhancements to an organization’s cybersecurity posture. Proposed changes would also include stringent requirements for disclosure and recordkeeping following a cybersecurity incident.

Updated 05/2024: The SEC has delayed a final vote (again) until October 2024.

Per the SEC’s proposal, financial firms – including RIAs, investment companies and business development companies – would be required to:

• Disclose a “significant adviser cybersecurity incident” within 48 hours of identification;
• Provide updates to clients regarding any previously reported cybersecurity incidents;
• Provide written policies and procedures related to cybersecurity risk management;
• Review and update written policies and procedures annually; and
• Maintain records of all policies, written rules and cybersecurity-related reports and disclosures.

Incident Reporting within 48 Hours

Under the current proposal, registered investment advisers will be required to report “significant” cybersecurity incidents within 48 hours of determining such an incident has occurred or is actively occurring. On Form ADV-C, advisers would need to provide detailed information regarding:

• Entities or investors affected by an incident;
• The current status of an incident and when it was first discovered;
• If data or sensitive information was stolen, altered or accessed without authorization;
• How the incident affected or continues to affect the adviser’s operations;
• If the incident has been remediated or is currently being remediated by the adviser or its service provider; and
• Whether the incident is covered under a cyber liability insurance policy

Disclosure of Cybersecurity Risks and Incidents

In addition to alerting the SEC of significant new cybersecurity incidents, investment funds and advisers would be required to amend Form ADV Part 2A to disclose material risks to current and prospective clients “if there is a substantial likelihood that a reasonable client would consider the information important.” The rule would also require “ an adviser to deliver interim brochure amendments to existing clients promptly if the adviser adds disclosure of a cybersecurity incident to its brochure or materially revises information already disclosed in its brochure after such an incident.”

Cybersecurity Risk Management Rules

The SEC’s proposed changes would require financial firms to adopt and implement policies and procedures to address ongoing cybersecurity risk management. While advisers should customize policies and procedures to fit the specific nature of their business and unique cyber risks, the SEC would require the following elements:

• Periodic Risk Assessments: Written, periodic assessments of cybersecurity risks, including third-party service providers that receive, maintain, process or have access to an adviser’s information or information systems
• User Security and Access: Written controls designed to prevent unauthorized internal and external access to sensitive information and information systems
• Information Protection: Periodic assessment and monitoring of information systems to prevent unauthorized access as well as oversight of service providers
• Threat and Vulnerability Management: Written policies that address processes for detecting, mitigating and remediating cybersecurity threats and vulnerabilities
• Incident Response and Recovery: Written policies and procedures that address processes for detecting, responding to and recovering from a cybersecurity incident

Policies will need to be reviewed and updated on an annual basis.

Recordkeeping

Lastly, the proposal would amend the “books and records” rule and require companies to maintain records related to the above requirements including copies of cybersecurity policies and procedures, copies of risk assessments, copies of cybersecurity incident reports and records documenting annual reviews of the aforementioned policies and procedures.

Next Steps

Although as of this article’s publish date the SEC has yet to finalize their requirements, it is widely expected that the SEC will pass cybersecurity rule changes in some form. The SEC already passed cybersecurity and disclosure changes for public companies earlier this year.

These proposals are consistent with the financial industry’s increasing vigilance with regard to cybersecurity, and as such, firms should begin preparing now for what’s to come. Alternative investment firms and registered advisers should begin to evaluate their current programs and investments with regard to:

• IT/Cybersecurity Budget. To support a sophisticated and compliant cybersecurity risk management program, many companies will likely need to increase their overall investment in IT and cybersecurity, including the implementation of new technologies such as advanced threat protection and incident monitoring.
• Staff/Outsourced Support: Whether internally or through an outsourced managed security service provider (MSSP) – or a combination of both – companies will need to consider staffing increases to support ongoing cyber risk management and incident reporting requirements.
• Policy Development and Maintenance: The creation, enhancement and maintenance of written policies and procedures under the SEC’s proposed rules will require significant effort on the part of registered companies. It would be wise for companies to rely on a trusted third party to ensure controls and measures are aligned to the SEC’s expectations and reviewed periodically to reflect ongoing changes to infrastructure, operations and business risks.