In March, the Securities and Exchange Commission (SEC) proposed new cybersecurity risk management rules for organizations including registered investment advisers, registered investment companies, and business development companies (registered funds).
The SEC is also proposing numerous modifications to existing rules governing investment adviser and registered fund disclosures.
This 200+ page rule is dedicated to strengthening existing standards and encouraging firms to upgrade their cybersecurity risk management procedures. Cybersecurity has been at the forefront of the SEC’s examinations and we can expect that focus to increase now that the new regulation ( known as 206(4)-9 ) will move us from a period of cybersecurity “guidance” to a period of cybersecurity “regulation”.
I have covered this topic in a past webinar. If you prefer a recorded version of this information, I highly encourage you check out the YouTube Link below.
How does this affect your firm?
According to the accompanying Cybersecurity Risk Management Fact Sheet released by the SEC (Link Here) the planned regulation would have a significant impact on registrants’ cybersecurity measures in a number of key areas.
The New SEC Cybersecurity Regulations will Require:
- You will now be required to implement written cybersecurity policies and procedures that are designed to address cybersecurity risks, including the risks of using interconnected systems and networks directly and through IT vendors, cloud providers, and MSPs;
- You are now required to perform vulnerability scans and penetration tests
- Firms will now be required to maintain records related to cybersecurity programs and their outcomes, as well as data breaches; and systems logs.
- Firms will now have to disclose cybersecurity risks and incidents to the adviser’s clients and prospective clients; (See our webinar on why this is a disastrous and dangerous requirement)
- Registered advisers will now be required to report significant cybersecurity incidents to the SEC, and file Form-ADV-C
The new cybersecurity risk management and recordkeeping rules would be put in place under the Investment Advisers Act of 1940 (“Advisers Act”) and the Investment Company Act of 1940 (“Investment Company Act”), which already require registered advisers and funds to evaluate certain cybersecurity risks while developing policies and procedures.
To summarize, organizations will be forced to take additional proactive steps that will undoubtedly increase the burden and costs of their compliance workflows with registrants required to examine the design and efficacy of their cybersecurity measures on an annual basis and produce a written report as a result of those audits.
I will go through some of the most important aspects of the SEC’s new proposed rule below.
Cybersecurity Risk Management Rules
All registered advisers and funds must “adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks” under rules 206(4)-9 of the Advisers Act and 38a-2 of the Investment Company Act, according to the SEC.
Given the ever-changing nature of threats, the SEC feels that the proposed cybersecurity regulation would be adaptable, allowing companies to tailor their security efforts based on their particular operations and complexity, as well as changing cybersecurity risks.
The proposed rule addresses several crucial aspects of a cybersecurity strategy:
- Risk and Threat assessments: requires registered advisers and funds to conduct periodic risk assessments of the network’s vulnerabilities as well as service providers that have been granted access to the network.
- User security and access: produce evidence of minimizing user-related risks and prevent unlawful access to the network by mandating policies that follow existing cybersecurity standards.
- Information protection. Firms would be required to assess the sensitivity of data on their network and actively monitor IT systems to identify suspicious activity.
- Threat and Vulnerability Management. The new risk management rule would require registered advisers and funds to monitor systems and industry or government cyber threat information for them to detect, mitigate, and remediate cybersecurity hazards and vulnerabilities.
- Cybersecurity Incident Response. Firms will need to have procedures in place to identify, react to, and recover from a cyber-related disruption.
Interested in seeing the technical/nerdy aspects of how you or your IT firm will have to deal with these requirements?
Reporting of Significant Cybersecurity Incidents to the SEC
The SEC is proposing a new regulation that would require advisers to provide confidential information on Form ADV-C “promptly but not more than 48 hours” after establishing a reasonable basis to believe that a significant adviser cybersecurity problem or a significant fund cyber incident has occurred or is occurring. This is EXTREMELY problematic for reasons that we have covered extensively in videos and other write-ups.
Additionally, the proposed rule would also require registered advisers to amend any previously filed Form ADV-C promptly, “but in no event more than 48 hours, after information reported on the form becomes materially inaccurate; if new material information about a previously reported incident is discovered; and after resolving a previously reported incident or closing an internal investigation about a previously disclosed incident.”
This timeline for breach reporting to the SEC under the proposed rule would be one of the strictest in the industry when compared with other reporting regimes and I can tell you from years of doing this kind of work that the timeline is completely unrealistic.
On an annual basis, firms would have to reevaluate their cybersecurity policies and procedures. They would then need to generate a written report documenting security assessments, recording security incidents, and discussing any policy changes (that are material) since the last report.
New Record Keeping Requirements
The new rule will introduce further record-keeping obligations in the form of maintaining five years of cybersecurity policies, annual written cybersecurity audits, risk assessments, breach notification notices, and records documenting “any cybersecurity incidents”. This is going to be extremely expensive and a barrier to entry for many firms.
Disclosure of Cybersecurity Risks and Incidents
The proposed changes would add a new Item 20, “Cybersecurity Risks and Incidents,” to the Form ADV Part 2A…….which is made available to the public!
Scary. I know.
Does your firm need help to understand the new regulations?
MTradecraft can help.