Authored by Ishan Girdhar, Founder and CEO of Privva.
Cyberattacks and data breaches are becoming more frequent and sophisticated as technology advances and becomes increasingly complicated. Geopolitical tensions, the continuous development and increased usage of cutting-edge technologies, increasingly complex economic ecosystems, and other factors will all contribute to their occurrence.
Every industry, especially financial services, is affected by cyber-attacks and breaches. To protect against these threats, investment advisors and funds must be appropriately prepared.
Recently, the US Securities and Exchange Commission (SEC) issued updated cybersecurity and risk management regulations. This article will discuss these new regulations and how they may affect investment advisors and funds.
The Securities and Exchange Commission voted three to one on February 9, 2022, to propose new rules under the Investment Advisors Act of 1940 and the Investment Company Act of 1940 relating to cybersecurity risk management, breach reporting, and record keeping for registered investment advisors and investment funds under the Investment Advisors Act of 1940 and the Investment Company Act of 1940.
The new rules would require registered investment advisors and investment funds to adopt written policies and procedures reasonably tailored to mitigating cybersecurity risks, particularly those related to the following:
These policies and procedures must be reviewed and assessed by the adviser or fund on an annual basis.
The rules, as proposed, would require advisers to disclose cybersecurity risks and incidents to existing and prospective clients that may substantially affect the advisory relationship; among other things, a fund would be required to disclose cybersecurity events that had occurred in the fund's prior two fiscal years. Using amended forms for advisers (Form ADV Part 2A) and funds (Forms N-1A, N-2, N-3, N-4, N-6, N-8B-2, and S-6), disclosure must include:
These disclosures would be made to both current and prospective clients. The goal of this requirement is to provide transparency to investors about a fund's cybersecurity preparedness and resiliency.
The SEC also proposed that investment advisors and funds maintain:
This would allow the SEC to review past policies and procedures as well as how advisers have responded to past cyberattacks or data breaches. It would also provide insight into how a fund handles cybersecurity events. This requirement is meant to promote transparency and help the SEC better understand how investment advisors and funds manage cybersecurity risk.
A board is responsible for a company's governance and should be involved in key decisions, including approving the company's initial cybersecurity policies and procedures.
The proposed rules would include a requirement for the fund's board to execute certain cybersecurity oversight activities, such as approving the fund's initial cybersecurity policies and procedures, as well as a duty to audit the annual report on such policies and procedures.
This would ensure that the board is actively engaged in a fund's cybersecurity risk management and aware of any incidents or issues.
The SEC's proposed rules are meant to increase transparency and promote better cybersecurity practices among investment advisors and funds. Advisers and funds would be required to adopt written policies and procedures reasonably tailored to mitigating cybersecurity risks, disclose such risks and incidents to investors, and maintain related documentation. Boards would be responsible for executing certain cybersecurity oversight activities, including approving policies and procedures and auditing the annual report on such policies and procedures. These proposed rules would help the SEC better understand how advisers and funds manage cybersecurity risk.
Having a written cybersecurity strategy is critical to mitigating risk and protecting your business. The proposed rules from the SEC require investment advisors and funds to have a written policy, so it is important to have one in place before compliance is required.
You can follow these steps in developing your strategy and aligning it with the proposed SEC requirements:
You should also consider working with an expert who can help you develop a comprehensive strategy that meets SEC requirements. Cybersecurity insurance is also important for protecting your business against data breaches and other cyber incidents.
When a significant cybersecurity event occurs, you should report it to the SEC. A material cybersecurity event is an event that has a reasonable likelihood of causing substantial harm to the financial stability of the United States or to investors. Examples of events that could be material include, but are not limited to:
The SEC has stated that it will use the information it receives to better understand how advisers and funds manage cybersecurity risk, so it is important to report any significant events.
You should also document all of your cybersecurity risk management activities, so you can prove that you have taken reasonable steps to mitigate risk. Based on the documents mentioned above, this documentation should include, but is not limited to:
The SEC may request this documentation as part of an examination or investigation, so it is important to have it available.
Cybersecurity should be a top priority for all businesses, and the SEC’s updated regulations provide helpful guidance on how to develop and implement a robust strategy. By following the recommendations in this article, you can protect your organization from cyberattacks and ensure that you are in compliance with SEC regulations.
With Privva, you can be confident that your cybersecurity risk management activities are in compliance with the SEC’s updated regulations. Privva is the leading provider of cybersecurity solutions for the financial services industry, and our solutions are designed to help organizations quickly identify and respond to cybersecurity threats. We provide actionable insights that allow firms to improve their cybersecurity posture and meet compliance requirements. To learn more, visit www.privva.com or www.entreda.com.