The US Securities and Exchange Commission (SEC) is preparing for a huge crackdown on cybersecurity. Several months ago, the SEC proposed updates to its cybersecurity rule, seeking to ramp up the enforcement of cyber-related crimes. Now, the SEC will require all registered RIAs to implement a dedicated cyber-protection program that prevents, detects, and properly reports any “material” breach.
At first glance, the SEC’s proposal seems like a generally reasonable demand. Companies from around the world have increased protections related to cyberattacks, and as technology advances and attackers continue to get more creative, the need for a standardized policy and procedure is evident. But digging deeper into the SEC’s latest proposal reveals several areas that could be cause for great concern.
- The SEC plans to require all RIAs to report “material” cyberattacks by updating Form 8-K within four days of an incident.
An attack considered to be “material” is any incident that directly impacts an individual’s decision whether to buy, hold, or sell a company’s stock. But hold the phone — only four days? It’s extremely unlikely that a cyber investigation can be successfully and properly completed within four days. In most cases, it takes weeks for a cyber incident to be fully contained and repaired and the impacts assessed. Depending on the severity of the attack, it could be months or even years before the true damage can be measured and the attacker apprehended.
- After a cyberattack occurs, the SEC wants to be heavily involved in each RIA’s containment and remediation process.
Cyberattacks happen quickly and without notice. That’s why internal IT departments are typically given preauthorization to do whatever is necessary to block an attack or restore damages. But if the SEC’s new rule is approved, IT departments will be required to meet with SEC investigators, law enforcement, directors, officers, legal counsel, and more — prior to making any decisions. Time is of the utmost importance during and after cyber incidents. Forcing RIAs to hesitate and await approval could leave RIAs and their clients vulnerable to further aggression.
- The SEC will require all RIAs to provide updates on previously disclosed cyberattacks.
The SEC has only ever required formal reporting of past cyber breaches for those that are most high-profile and publicized. With the sudden implementation of periodic required updates following any breach, RIAs are left completely unprepared for the transition. RIAs will be forced to modernize their reporting and documentation systems, which will likely be very expensive and challenging for teams to accomplish.
Do you have an adequate cybersecurity plan in place?
It’s always better to be proactive rather than reactive. That’s why it’s in every RIA’s best interest to start planning for the SEC’s new cybersecurity rule now. Compliance teams and CCOs should have a solid plan in place that complies with the new disclosure requirements. RIAs should also recognize that this new rule will bring with it an increased risk of cyber-related lawsuits.
Cybersecurity is a liability.
The imminent threat of a cyberattack, coupled with costly and time-consuming violations and regulatory investigations, places RIAs at great risk. The best way to barricade your RIA is to employ a strong defense and utilize an efficient reporting system.
AdvisorLaw’s CyberProtection program helps RIAs to secure the necessary safeguards and protect themselves from cybercrime and regulators alike. Although our technology is complex, we make cybersecurity easy for our clients.
With AdvisorLaw, know who’s on your side when you need to protect yourself from a cyberattack, as well as the investigations that are soon to follow. To learn more about our services, please give us a call today, at 303-952-4025.