- Regulatory Shift? The Supreme Court Challenges SEC’s Authority
- FINRA Arbitrator Grants Expungement Of 2011 Customer Dispute For Illinois Advisor
- E-Signatures: From Convenience To Compliance Minefield
- Tucson Advisor Granted Expungement Of Disputes — One Dating Back To 1994
- CFP Board To Publicly Disclose Disciplinary Records: Are You Prepared?
The Securities and Exchange Commission (SEC) has decided to reopen the public comment period for the cybersecurity rule it initially proposed last year.
New Additions
This decision came on the same day that the commission approved a number of cyber and data privacy-related rules and amendments, which include amendments to Regulation S-P. The updated regulation now requires registered investment advisors (RIAs) to provide notice to individuals who may be affected by certain types of data breaches that might leave them vulnerable to identity theft. Additionally, firms will need to report “significant” cyber incidents to the SEC within 48 hours of discovering the severity of the breach. Comments on both the proposed amendments to Regulation S-P and the proposed cybersecurity risk management rules for broker-dealers and other market participants are due by June 5, 2023.
That time period caused some concern for chief compliance officers and firms during the initial comment period and at this week’s Investment Adviser Association Compliance Conference in Washington, D.C. The SEC’s statement indicated that the reopening of the public comment period will allow interested parties additional time to analyze the issues and prepare comments, taking into account other regulatory developments, including the effects of other proposals related to cybersecurity risk management and disclosure that the SEC could consider.
The SEC’s CyberSecurity Proposal
Per the SEC’s recently proposed cybersecurity rule, RIAs and funds would be required to adopt and implement written cybersecurity policies and procedures that are reasonably designed to address cybersecurity risks. The rules also require RIAs and funds to disclose information about cybersecurity risks and incidents and to report certain cybersecurity incidents confidentially to the SEC. Additionally, RIAs and funds are required to maintain related records.
The proposed rules are a response to the increasing threat of cybersecurity attacks on the financial industry. The SEC has observed that many RIAs and funds do not have adequate cybersecurity policies and procedures in place to protect their client’s sensitive information. The proposed rules aim to ensure that RIAs and funds have appropriate safeguards in place to protect against cyber threats.
The comment period on proposed rules and amendments related to cybersecurity risk management and cybersecurity-related disclosure for registered investment advisers, registered investment companies, and business development companies that were proposed on February 9, 2022, is due by May 22, 2023.
Policies & Procedures
The proposed rules require RIAs and funds to adopt and implement written policies and procedures that are reasonably designed to protect against unauthorized access to sensitive information. These policies and procedures must be tailored to the firm’s size, complexity, and nature of its business, as well as the sensitivity of the information it maintains. The policies and procedures must also be reviewed and updated on an annual basis or as necessary to address changes in the firm’s business or operations.
Disclosures
RIAs and funds are also required to disclose information about cybersecurity risks and incidents to their clients. The proposed rules require firms to provide clients with a written summary of their cybersecurity policies and procedures. Firms must also provide clients with notice of any material changes to their policies and procedures.
Incident Reporting
In addition to disclosing information to clients, RIAs and funds are required to report certain cybersecurity incidents to the SEC. The proposed rules require firms to report incidents that result in the loss of sensitive information or the disruption of business operations. Firms are required to report those incidents within 72 hours of discovery.
Maintaining Records
The proposed rules also require RIAs and funds to maintain records relating to their cybersecurity policies and procedures and any cybersecurity incidents. These records must be maintained for a period of five years.
Reactions To The New Rule
The proposed rules have been met with mixed reactions from the financial industry. Some firms believe that the rules are necessary to ensure that clients’ sensitive information is protected from cyber threats. Other firms believe that the rules are overly burdensome and that they will impose significant costs upon the firms.
Regardless of the industry’s reaction to the proposed rules, RIAs and funds should be aware of the cybersecurity risks facing their firms and take steps to protect their client’s sensitive information. RIAs and funds should assess their current cybersecurity policies and procedures and consider whether they are adequate to protect against cyber threats. If not, they should take steps to improve their policies and procedures and implement appropriate safeguards to protect against cyber threats.
AdvisorLaw’s CyberProtection Program
AdvisorLaw provides a comprehensive cybersecurity program that can assist RIAs in meeting the expanding cybersecurity and risk-management requirements proposed by the SEC. With the increasing number of dedicated positions in the SEC’s Crypto Assets and Cyber Unit, it’s more important than ever for RIAs to have a formal cybersecurity program in place.
AdvisorLaw’s CyberProtection Program is designed to be compliant with regulatory requirements and reflect RIAs’ size and their manner of conducting business. The program aims to protect the business and clients by providing appropriate protections, a clear understanding of requirements, and guidance for maintaining adequate records to demonstrate compliance.
The program includes staff training, computer security, internet connection security, sensitive data inventory, and reviewing and evergreening. The staff training involves the electronic delivery of mini-training modules every four-to-six weeks, periodic phishing emails, and online refresher courses for those found susceptible to phishing. The program’s monitoring software detects changes to the system, records system events, and scans the static IP address daily to detect configuration changes.
Knowing where sensitive information is stored and who has access to it is a critical part of managing risk. AdvisorLaw’s program includes a sensitive data inventory to easily track information backups, security, third-party utilization, and staff access. The program is reviewed annually to modify policies and procedures and adapt to evolving cybersecurity threats and regulatory environments.
AdvisorLaw begins by conducting a comparison of existing cybersecurity policies to the RIA’s current technology and staffing footprint to ensure alignment. Any flaws in the blueprint are carried over to the program, making it essential to have aligned policies and programs.
With AdvisorLaw’s CyberProtection Program, RIAs and funds can have a formal, comprehensive, and well-executed security program that meets all business needs, protects the business and clients, and demonstrates compliance with regulatory bodies.
Contact us today!
The SEC’s proposed cybersecurity rules for RIAs are a response to the increasing threat of cyber attacks on the financial industry. The proposed rules require firms to adopt and implement written policies and procedures that are reasonably designed to protect against unauthorized access to sensitive information. The rules also require firms to disclose information about cybersecurity risks and incidents to their clients and report certain incidents to the SEC. While the rules have been met with mixed reactions from the financial industry, RIAs and funds should take steps to assess their current cybersecurity policies and procedures and implement appropriate safeguards to protect against cyber threats.
Contact us today for a complimentary consultation, and get your firm’s or fund’s cybersecurity compliance up to date and ready for the SEC’s impending rule changes.