According to an SEC press release, The Securities and Exchange Commission has proposed new rules
focused on cybersecurity risk management for registered investment advisers and funds. The new proposal also includes changes to existing rules dealing with investment adviser and fund disclosures.
SEC Chair, Gary Gensler, is quoted in the press release, stating: “The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks."
Summary of Proposed Requirements:
The new proposed rules and amendments to existing rules address cybersecurity risks for registered investment advisers, and registered investment organizations and business development companies (funds).
This includes the following requirements:
- Cybersecurity policies and procedures - Registered investment advisers and funds must accept and enact cybersecurity policies and procedures designed to address cybersecurity risks.
- Incident management, reporting and disclosures - Advisers must report significant cybersecurity incidents impacting the adviser or its fund or private fund clients, to the Commission. In addition, advisers and funds must report such incidents to its clients and prospective clients.
- Recordkeeping and updated forms - The Commission is suggesting changes to recordkeeping standards and changes to numerous forms regarding disclosures related to serious cybersecurity risks and cybersecurity incidents that affect advisers and funds and their clients and shareholders.
Comments on the proposal are due 60 days following publication of the proposed release on the SEC’s website or 30 days following publication of the proposed release in the Federal Register, whichever period is longer.
Q: Why is the SEC now focused on cyber risk management?
The SEC has always had a focus on managing cyber risk. Through the Office of Compliance Inspections and Examinations the SEC has been working with much of the financial services industry to make sure that cyber risk is appropriately managed. These rules now expand the coverage to include Registered Investment Advisors and Funds.
Q: Where do I start?
Modernizing and simplifying governance, risk and compliance is no easy task for global organizations. With new rules surfacing and continually changing it can be difficult for organizations to keep up. Comprehensive cyber risk assessments can help organizations understand the current state of its cyber program, identify potential gaps and risks, remediate those gaps and risks, and ultimately implement an effective cybersecurity framework.
Q: Do I need full-time cybersecurity practitioner, or can I use third-party professionals?
The rules require that you have access to cyber risk management expertise. For many organizations, it is difficult to attract, hire and retain qualified cybersecurity professionals. The proposed rules allow an adviser or fund the flexibility to make decisions on how that expertise is obtained. Your organization can determine who can implement and oversee its cybersecurity program and if that expertise is provided by in-house or third-party professionals.
Q: If I have written policies and procedures, would that satisfy the proposed rules?
It is important for organizations to not only have policies and procedures in place, but also be able to implement the practices within their cybersecurity program. Many are turning to a Managed Defense and Response (MDR) solution. MDR provides a turnkey solution that gives organizations of every size a stronger security posture by using a scalable, cloud-based SOC with human-augmented machine learning (Hybrid AI) and a predictable pricing model.
Q: We have not had any cybersecurity incidents in the past. Why should we care?
Cybersecurity has long been a key area for professional services companies to address, but with the widespread shift to remote and hybrid workplaces, there are more vulnerabilities to exploit than ever. It is not so much a matter of ‘if’ but rather ‘when.’ A proactive approach to data protection can not only help you comply with government regulations but also help protect your bottom line.
Q: My organization is not in the scope of the SEC. I don’t need to do anything, right?
If your organization does not fall into the scope of the SEC, you might be feeling relieved that you don’t have to follow the new regulations. However, the practices which the SEC is proposing are foundational cybersecurity programs. Additionally, it’s possible that future governmental guidelines could be put into place, so it’s best to stay ahead of the game.
Staying proactive is your best defense against increasingly sophisticated cyber threats, and future regulations.
The rule proposal may include the requirements below.
- Require advisers and funds to adopt and implement written policies and procedures that address cybersecurity risks.
- Required elements of cybersecurity risk management program include:
- Risk Assessment – A written documentation of risk assessment may be required by the proposed rules. When conducting the cybersecurity risk assessment, an adviser or fund should categorize and prioritize cybersecurity risks based on the organization’s business operations and identify and assess the risks associated with the use of third-party service providers.
- User Security and Access – The cybersecurity risk management rules require controls that are designed to reduce user access related risks. To support this, the policies and procedures should include:
- Acceptable use policy that governs standards of behavior of using adviser or fund information systems and information;
- Multi-factor authentication;
- Procedures for secure management of user authentication methods including passwords;
- Principle of least privilege, in which access is given solely to individuals who require access to adviser or fund information systems or information residing therein for the purposes of fulfilling their responsibilities; and
- Secure remote access technologies
- Information Protection – A periodic review of the adviser or fund information systems and the information that resides on the systems, including:
- Classification of information based on its level of sensitivity and importance to the operations of the adviser or fund;
- Identification of personal and personally identifiable information;
- Monitoring of the access, storage, and transmission of adviser or fund information;
- Access controls and malware protection of information systems; and
- The potential impact of a cybersecurity incident to the adviser’s or fund’s business operations.
- Threat and Vulnerability Management – Advisers and funds must detect, mitigate, and remediate threats to and vulnerabilities in the information systems. They should conduct ongoing monitoring of cybersecurity threats and vulnerabilities, including network, system, and application vulnerability assessment. Additionally, advisers and funds should establish a patch management program, establish accountability for managing vulnerabilities, and provide ongoing cybersecurity risk awareness and training based on roles.
- Incident Response and Recovery – Funds and advisers should establish incident response and recovery policies and procedures that, in the event of an incident, provide:
- Continued business operations;
- Protection of information systems and data;
- Incident information sharing and communications; and
- Reporting of incidents to the Commission.
- Annual review and required written reports - The proposed rules also require advisers and funds to review and assess the design and effectiveness of their cybersecurity policies and procedures no less frequently than annually and prepare a written report from such review and assessment.
- Board oversight – The proposed rules require a fund’s board of directors to be responsible for approving the cybersecurity policies and procedures, and for reviewing, at least annually, the cybersecurity risk assessment or incident reports.
- Recordkeeping - Advisers and funds may be required to maintain, make, and retain certain cybersecurity-related books and records for up to five years.
Advisers may be required to report
significant cybersecurity incidents to the SEC on proposed Form ADV-C:
- Reporting may be required for any significant cybersecurity incidents at the adviser, or behalf of an adviser’s fund client or private fund client.
- The proposed Form ADV-C should be submitted within 48 hours after having a reasonable basis to conclude that a significant adviser or fund cybersecurity incident had occurred or is occurring.
Enhance adviser and fund disclosures
related to cybersecurity risks and incidents
- The proposal amends Form ADV, Part 2A, to require disclosure to an adviser’s clients and prospective clients of (i) cybersecurity risks and (ii) incidents that occurred in the last two fiscal years
- Funds also may be required to provide prospective and current investors with cybersecurity-related disclosures:
- Specifically, the proposed amendments would require a description of any significant fund cybersecurity incidents that have occurred in the last two fiscal years in the funds’ registration statements (i.e., Form N-1A, Form N-2, Form N-3, Form N-4, Form N-6, Form S-6, and Form N-8B-2).