Proposed SEC Rules for Cybersecurity Risk Management: What Investment Advisory Firms Need to Know
The SEC has proposed new rules that would require registered investment advisers, registered investment companies, and business development companies to:
- Adopt and implement written cybersecurity policies and procedures meant to address cybersecurity risks
- Report any significant cybersecurity incidents to the SEC
- Implement new information security recordkeeping requirements
- Disclose certain cybersecurity incidents in their brochure or registration statement
Cybersecurity threats continue to grow more sophisticated and can be costly to firms and investors. The SEC believes these rules, which are currently within a period of public review and comment, will improve cybersecurity, increase the resiliency of financial service providers, protect investors, and help maintain orderly markets.
While the goals for this proposed rule change are straightforward, the impact upon firms may be far reaching, including:
- Requiring additional firm investments focused on cybersecurity
- Updating systems to adhere to 48-hour mandatory reporting requirements for significant cybersecurity incidents on Form ADV-C
- Enhancing cybersecurity policies and oversight procedures
- Implementing books and recordkeeping requirements related to cybersecurity practices
Board-level impact on cybersecurity playbooks
Amendments to Rules 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act would require firms to adapt and implement cybersecurity policies and procedures to include the following.
Risk assessment: Periodically assess, categorize, prioritize, and document cybersecurity risks associated with the business.
User security and access: Design controls to minimize user-related risks and prevent unauthorized access to information and systems.
Information protection: Monitor systems to protect information from unauthorized access or use, identify suspicious behaviors, and periodically reassess what information resides on systems.
Threat and vulnerability management: Design ongoing controls that detect, mitigate, and remediate cybersecurity threats and vulnerabilities of information and systems.
Cybersecurity incident response and recovery: Implement measures to detect, respond to, and recover from a cybersecurity incident.
It will be crucial for firms to establish a process for continuously assessing cybersecurity and technology risk by monitoring their current systems and establishing and regularly testing procedures. The proposed rule will require that firms review and assess the effectiveness of their policies and procedures, at least annually, and prepare a written report.
The report should describe the annual review and assessment, any tests performed, and their results. It should document any cybersecurity incidents and discuss material changes to policies and procedures. Additionally, proposed amendments to Rule 38a-2 would require these policies and procedures to be approved and reviewed, at least annually, by the firm's Board of Directors.
Whether you’re administering your policies and procedures in-house or engaging a third-party cybersecurity risk management service, make sure to identify how these review elements will be conducted and the appropriate escalation process to senior officers of the firm.
Recordkeeping: Written Information Security Procedures (WISPs)
Amendments to Rules 206-2 under the Advisers Act and 38a-2 under the Investment Company Act would require firms to adopt and implement recordkeeping requirements such as maintaining copies of policies, procedures, reports, and reviews, including Board oversight as appropriate. Additionally, firms will be required to retain all reports and documents pertaining to cybersecurity incidents, and all records pertaining to the cybersecurity risk assessment.
In typical fashion, these documents should be retained for a five-year period, with the most recent two years in an easily accessible place.
48-Hour Reporting of Cybersecurity Incidents and Disclosure
The proposed rule would stipulate that significant cybersecurity incidents would be reportable to the SEC. Advisers would be required to submit, promptly to the SEC (typically within 48 hours), the new Form ADV-C which includes questions on the nature and scope of the incident and whether disclosure was made to investors. The new Form ADV-C will be submitted electronically and structured as a series of check-the-box and fill-in-the-blank questions to help the SEC enhance examinations and assess trends.
Firms would be required to disclose cybersecurity risks and incidents, in plain English, under the proposed amendments on their regulatory documents (e.g., Form ADV Part 2A, N-1A, S-6). These reporting and disclosure requirements will more directly address cybersecurity risks and incidents and how they may or have already materially impacted the firm's business. Firms would also be required to promptly deliver updated disclosure documents to investors following any material amendments to the document.
Supervisory and policy steps to be prepared
While most firms have existing cybersecurity playbooks addressing the many layers of information security, the proposed SEC cybersecurity risk management rules call for firms to examine those procedures to ensure they include:
- A comprehensive cybersecurity policy for firms per industry standards such as NIST 800-53 and ISO 27001
- Assurance that firms have a system to continuously monitor cybersecurity risks across devices, users, networks and vendors and to make sure that systems match the policy of record
- Risk management program collaboration across technology, risk, and compliance to assess risks and investigate threats
- Development of an incident response log to ensure the firm’s cybersecurity playbook is up to date with rule requirements
- An inventory in the cybersecurity playbook that includes hardware, software, and data information and their corresponding cybersecurity controls
- Assurance that incident logs, cybersecurity policies, revisions and cybersecurity monitoring reports are archived in a manner that complies with SEC 17a-4 storage requirements
- Controls designed to minimize third party risks, including security and access control capabilities of application and content providers who store and maintain firm data in the cloud
- Tuning of existing supervisory policies to ensure that areas of identified cybersecurity risk are incorporated into Written Supervisory Procedures (WSPs) and actively inspected
- Inclusion in vendor controls procedures and documentation for onboarding, ongoing monitoring, off-boarding, and handling of non-public client information
- On-going cybersecurity training for employees, third parties, and consultants
The SEC has stated that implementing these requirements should be part of the firm’s fiduciary duty to apply practices that are in the best interest of their clients. Firms should take steps to minimize cybersecurity risks that could lead to significant business disruptions and harm to investors.
How we can help
In addition to our portfolio of capture, archiving, and supervisory solutions, Smarsh has extended its cybersecurity portfolio with the additions of Entreda and Privva to add device and network protection and ensure potential exposures are identified prior to hitting long-term systems of record.
Smarsh Cyber Compliance (Entreda) monitors devices, users, networks and vendors continuously through a single-pane-of-glass platform. This includes a standard incident response template to log cybersecurity incidents for investigation and remediation. Cybersecurity policies and incident reports/alerts/notifications are sent to users via email and, assuming clients have Smarsh, the email reports are saved as part of 17a-4 storage.
Smarsh Cyber Compliance (Entreda) subscriptions include a cybersecurity policy generator that makes it easy for firms to build and manage their cybersecurity policy based on NIST 800-53 guidelines. Additionally, generating the policy through Smarsh Cyber Compliance (Entreda) ensures that the policy of record matches implementation.
You can learn more about expected regulatory changes of 2022 here.
Share this post!
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.