In 2023, the SEC made clear that cybersecurity remains top of mind for the Commission and that it intends to tackle some issues around transparency, recordkeeping and breach reporting requirement, among other areas of focus. In a recent webinar, Silver’s CEO, Fizza Khan, sat down with Nicolas DeVore, Manager of Financial Services at Egnyte, to discuss three SEC proposals from 2023 that are directly linked to cybersecurity initiatives: Cybersecurity Risk Management, Regulation SCI amendments and Regulation S-P (or the privacy policy).
A video of the full webinar is below, as well as key takeaways from the discussion:
- Regulatory overview: A proposal for registered investment advisers and registered funds relating to cyber risk management was set forth back in February of 2022. The comment period was supposed to end in March 2023, but the SEC reopened it and is accepting additional comments through May 2024. This is due to the second proposal, around Regulation S-P amendments (or the privacy policy), as the proposed amendments to that rule are trying to capture the essence of cybersecurity breaches. As such, the SEC realized they needed to extend the comment period for investment advisers and investment companies. The third proposal – Regulation SCI amendments – is similar to the first one but is more in line with broker/dealers. Ultimately, they are all centered around cybersecurity issues the SEC wants very urgently to tackle.
- While many registered investment advisers, including private fund managers, likely already have some form of cybersecurity program in place, there has never been real guidance or legal language to help form effective and compliant frameworks, which has resulted in firms piecing a lot of this together in a vacuum.
- These proposed rules are codifying what the industry needs to have in place and enables registered market participants to better understand what the regulators are looking for.
- The items outlined in these enacted proposals will be expected to be incorporated as part of financial firms’ compliance programs. In addition to the cybersecurity initiatives, private fund managers will also be impacted by other rulemaking – either by way of proposals or implementation – such as the recently passed fund advisory rule.
- In a similar vein, regulators are doing their best to keep up with this rapidly growing area of artificial intelligence (AI). As notetaking software becomes increasingly popular, it means an AI system has your information. This is where vendor due diligence on the software provider becomes very important and is a key piece introduced in these proposed new rules.
- Start implementing these precautions immediately by conducting a review of what service providers you are using. Firms must have full disclosure of what risks their clients are facing and therefore determine how they can best manage that risk. So, having these conversations with service providers, and where you may have had areas of concern, is of utmost importance. It is always crucial to be prepared and look at what these proposals are saying.
- While Silver doesn’t have a crystal ball regarding timing, it is believed that Reg S-P could be enacted first, followed by Cybersecurity Risk Management for all of those impacted – i.e., registered investment advisers, financial services firms, broker/dealers and investment companies – though we don’t anticipate this happening in the near term.
Silver recommends taking a step back to conduct a thorough risk analysis of your firm’s cybersecurity policies and procedures to include forensic testing in order to examine the likelihood of a breach happening and the ways in which your firm would work to mitigate these potential risks. Effective training from the top down of all employees on what could go wrong will also be tantamount to successfully reducing risks.
If you have any questions about these Cybersecurity proposals from 2023, or your firm’s compliance program, please reach out to a member of Silver’s Compliance Team at [email protected].