This article discusses the SEC’s proposed cybersecurity rules and their potential impact on registered investment advisors. The authors also provide tips on how to protect against cybersecurity risks for private fund managers, broker/dealers, and registered investment advisory firms.
In 2023, the U.S. Securities and Exchange Commission (SEC) made it clear that data security, cybersecurity and IT operational resilience remain top of mind for the Commission. In an effort to tackle issues around transparency, recordkeeping and breach reporting requirements, among other areas of focus, the SEC proposed the following three new sets of rules:
- Impose cybersecurity risk management and incident notification rules for broker-dealers and other SEC-registered entities. This proposal for registered investment advisers and registered investment companies relating to cyber risk management was set forth back in February 2022. The comment period was supposed to end in March 2023, but the SEC reopened it and accepted additional comments through May 2023.
- Amend Regulation S-P (commonly known as a firm’s “privacy policy”) to require broker-dealers, registered investment advisers (RIAs) and registered investment companies to report breaches of “sensitive” nonpublic personal information to affected individuals.
- Establish a new cybersecurity risk management rule (referred to as Proposed Rule 10) for broker-dealers, clearing agencies and other SEC-regulated entities that would require these entities to maintain written policies and procedures reasonably designed to address their cybersecurity risks; assess annually the effectiveness of those policies and procedures and document that assessment; and notify the SEC of any “significant cybersecurity incident” within 48 hours after “having a reasonable basis to conclude that the significant cybersecurity incident has occurred or is occurring.”
Ultimately, all three proposed new SEC regulations would, among other things, require regulated entities to formally adopt policies and procedures for responding to cyber incidents; expand the scope of information subject to the rules to include information received from third-party financial institutions; and implement new requirements for reporting cyber incidents to both customers and regulators.
While many RIAs, including private fund managers, likely already have some form of cybersecurity compliance program in place, there has never been formal guidance or legal language to help form effective and compliant frameworks, which has resulted in firms piecing this together in a vacuum. These proposed rules are codifying what prior guidance has asserted the industry needs to have in place and enables registered market participants to better understand what the regulators are seeking.
To those points, let’s take a deeper look at each proposal and their potential impact on RIAs and registered investment companies while also providing some tips on how to protect against cybersecurity risks for private fund managers, broker/dealers and registered investment advisory firms.
Cybersecurity Risk Management and Comment Period Extension
The SEC is proposing new cybersecurity risk management rules and amendments under the Investment Advisers Act and Investment Company Act, requiring RIAs and registered investment companies to adopt policies and procedures to address cybersecurity risks. Some key points and takeaways include:
- Advisers would need to report significant cybersecurity incidents to the SEC using the new Form ADV-C, aiming to improve the Commission’s ability to monitor and assess systemic risks.
- The proposal includes mandatory disclosures of cybersecurity risks and incidents to clients and investors; advisers would update Form ADV, Part 2A, while registered investment companies would fully disclose in their registration statements.
- The proposal aims to enhance the cybersecurity preparedness of advisers and funds, addressing concerns about the adequacy of current practices and the need for improved investor protection.
- New recordkeeping requirements are included, mandating advisers and registered investment companies to maintain records related to their cybersecurity policies, procedures and incidents.
- The proposed rules would require firms to adopt comprehensive cybersecurity policies, report significant cyber incidents and enhance client disclosures about cybersecurity risks and incidents.
As noted above, in light of the proposed changes to Regulation S-P, the SEC reopened the comment period for their proposed rules on “Cybersecurity Risk Management for Investment Advisers, Adviser, and Business Development” until May 2023.
Regulation S-P (Reporting Around Privacy Breach Incidents)
The SEC proposed amendments to Regulation S-P to enhance the protection of customer information by requiring covered firms to notify customers of certain types of data breaches and to update the rule’s requirements for the protection of customer information. Some key points and takeaways include:
- Covered firms will be required to notify customers of breaches that might put their personal information or financial data at risk.
- Covered firms must adopt policies for an incident response program and provide notice to individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization.
- The proposed amendments will also broaden and align the scope of the safeguards and disposal rules to cover “customer information,” extend the safeguards rule to transfer agents and conform to a statutory exception for privacy notice delivery.
Cybersecurity Risk Management (Brokers/Dealers) (Referred to as ‘Proposed Rule 10’)
The SEC has proposed a new rule and related amendments requiring critical service providers in the U.S. securities markets to address cybersecurity risks. This applies to various market entities such as broker-dealers, clearing agencies and national securities exchanges. Some key points and takeaways include:
- The proposal addresses the vulnerability of the U.S. securities markets, part of the critical financial services sector, to cyber attacks using sophisticated tactics, which pose serious risks to national security and economic stability.
- The Proposed Rule 10 mandates that all market entities develop, maintain and annually review effective cybersecurity policies and procedures and report significant cybersecurity incidents to the SEC immediately.
- Additional requirements for “covered entities” include conducting periodic risk assessments; implementing control measures; monitoring and protecting information systems; documenting and managing cybersecurity incidents; and publicly disclosing cybersecurity risks and incidents on proposed Form SCIR.
- Although Proposed Rule 10 is directed at broker dealers, it is a sign of increased focus by the SEC in this area.
The items outlined in these enacted proposals will be expected to be incorporated as part of financial firms’ compliance programs. In addition to the cybersecurity initiatives, private fund managers will also be impacted by other rulemaking—either by way of proposals or implementation – such as the recently passed Private Fund Adviser Rules. While there is no crystal ball that points to when these regulations might be enacted, it is believed that Reg S-P could be enacted first, followed by Cybersecurity Risk Management for all of those impacted, i.e., RIAs, financial services firms, broker/dealers and register investment companies.
Best Practices/Tips for Protecting Against Cybersecurity Risks
The key to compliance with the requirements of the new proposals/regulations is to get a thorough understanding of the proposals by reading through them in detail (e.g., footnotes, comments, etc.), as they are a good indicator and guideline of what will be enacted in rule form. Perform a thorough risk analysis of your firm’s cybersecurity policies and procedures as it relates to information security systems and who has access to these systems (whether internal or third party). Who has access is the most critical point so these best practices can be implemented.
From there, conduct due diligence of service providers being utilized to assess risks associated with the use of such service providers. Firms must have full disclosure of what risks their clients are facing and determine how they can best manage that risk. Therefore, having these conversations with service providers, and where you may have had areas of concern, is of utmost importance.
In a similar vein, regulators are doing their best to keep up with the rapidly evolving area of artificial intelligence (AI). As AI software becomes increasingly popular in the financial world to improve employee productivity and customer experience, it may mean an external AI system has personally identifiable information or other sensitive information, thus increasing risk.
This is where vendor due diligence on the AI software provider becomes extremely important. Ask the software provider, “How is the information being sourced?” “How information is being gathered and used?” and “What type of privacy settings are in place to ensure information is not disseminated outside of the firm or in violation of internal policies?” Regardless of any individual opinions of AI, it is here to stay and is a key topic being discussed in these proposed new rules.
Once all this information is gathered, firms can then begin implementing actions that make sense to get ahead of when the SEC proposals become final. One of the first actions is to implement training of the entire firm, including forensic testing (such as phishing exercises) in order to examine the likelihood of an incident or breach happening. It is vital to train all employees on what could go wrong, what actions to take and how to mitigate potential risks or the levels of associated risks successfully. This is an area where it may be more beneficial to engage an external firm to conduct this training to ensure independent review and that every firm employee is trained, even those employees that are intimately familiar with the firm’s information security procedures.
With better understanding of these SEC cybersecurity proposals, coupled with the aforementioned best practices to protect against cybersecurity risks, RIAs should take a step back to assess their firm’s compliance program, active cybersecurity protocols, and technology stack to determine what actions are needed to make sure the firm will be compliant when these proposals become final rules.
Fizza Khan is founder and CEO of Silver Regulatory Associates, a firm specializing in compliance and ESG for the investment industry. Kyle Blair is the director of financial services at Egnyte.
Reprinted with permission from the March 1, 2024 issue © 2024 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-256-2472 or [email protected].