Authored by Ishan Girdhar, Founder and CEO of Privva.
Cyberattacks and data breaches are becoming more frequent and sophisticated as technology advances and becomes increasingly complicated. Geopolitical tensions, the continuous development and increased usage of cutting-edge technologies, increasingly complex economic ecosystems, and other factors will all contribute to their occurrence.
Every industry, especially financial services, is affected by cyber-attacks and breaches. To protect against these threats, investment advisors and funds must be appropriately prepared.
Recently, the US Securities and Exchange Commission (SEC) issued updated cybersecurity and risk management regulations. This article will discuss these new regulations and how they may affect investment advisors and funds.
Updated Cybersecurity Policies and Procedures
The Securities and Exchange Commission voted three to one on February 9, 2022, to propose new rules under the Investment Advisors Act of 1940 and the Investment Company Act of 1940 relating to cybersecurity risk management, breach reporting, and record keeping for registered investment advisors and investment funds under the Investment Advisors Act of 1940 and the Investment Company Act of 1940.
The new rules would require registered investment advisors and investment funds to adopt written policies and procedures reasonably tailored to mitigating cybersecurity risks, particularly those related to the following:
- User security and access;
- Data protection;
- Risk assessment;
- Threat and vulnerability management; and
- Incident response and recovery.
These policies and procedures must be reviewed and assessed by the adviser or fund on an annual basis.
Disclosing of Cybersecurity Incidents
The rules, as proposed, would require advisers to disclose cybersecurity risks and incidents to existing and prospective clients that may substantially affect the advisory relationship; among other things, a fund would be required to disclose cybersecurity events that had occurred in the fund's prior two fiscal years. Using amended forms for advisers (Form ADV Part 2A) and funds (Forms N-1A, N-2, N-3, N-4, N-6, N-8B-2, and S-6), disclosure must include:
- The nature of the cybersecurity risks and incidents;
- The measures taken to mitigate such risks and incidents; and
- The impact that such risks and incidents have had on the fund or its investors.
These disclosures would be made to both current and prospective clients. The goal of this requirement is to provide transparency to investors about a fund's cybersecurity preparedness and resiliency.
The SEC also proposed that investment advisors and funds maintain:
- a copy of their cybersecurity policy and procedures prepared in accordance with Proposed Rule 206(4)-9 that are currently in effect or were effective at any time within the previous five years;
- a copy of the adviser's written report documenting its annual review of cybersecurity policies and procedures over the last five years, according to Proposed Rule 206(4)-9;
- a copy of any Form ADV-C8 submitted by the adviser during the last five years under rule 204-6;
- records documenting the occurrence of any cybersecurity incident, including records related to any response and recovery from such an event, in the previous 5 years;
- records documenting advisers’ cybersecurity risk assessment for the previous five years.
This would allow the SEC to review past policies and procedures as well as how advisers have responded to past cyberattacks or data breaches. It would also provide insight into how a fund handles cybersecurity events. This requirement is meant to promote transparency and help the SEC better understand how investment advisors and funds manage cybersecurity risk.
A board is responsible for a company's governance and should be involved in key decisions, including approving the company's initial cybersecurity policies and procedures.
The proposed rules would include a requirement for the fund's board to execute certain cybersecurity oversight activities, such as approving the fund's initial cybersecurity policies and procedures, as well as a duty to audit the annual report on such policies and procedures.
This would ensure that the board is actively engaged in a fund's cybersecurity risk management and aware of any incidents or issues.
The SEC's proposed rules are meant to increase transparency and promote better cybersecurity practices among investment advisors and funds. Advisers and funds would be required to adopt written policies and procedures reasonably tailored to mitigating cybersecurity risks, disclose such risks and incidents to investors, and maintain related documentation. Boards would be responsible for executing certain cybersecurity oversight activities, including approving policies and procedures and auditing the annual report on such policies and procedures. These proposed rules would help the SEC better understand how advisers and funds manage cybersecurity risk.
Here's What You Can Do
Develop a cybersecurity strategy
Having a written cybersecurity strategy is critical to mitigating risk and protecting your business. The proposed rules from the SEC require investment advisors and funds to have a written policy, so it is important to have one in place before compliance is required.
You can follow these steps in developing your strategy and aligning it with the proposed SEC requirements:
- Assess your business and identify its cybersecurity risks
- Draft policies and procedures to mitigate those risks
- Implement the policies and procedures
- Review and update the policies and procedures as needed
- Train employees on how to implement and follow the policies and procedures
- Test the cybersecurity measures to ensure they are effective
You should also consider working with an expert who can help you develop a comprehensive strategy that meets SEC requirements. Cybersecurity insurance is also important for protecting your business against data breaches and other cyber incidents.
Report material cybersecurity events to the SEC
When a significant cybersecurity event occurs, you should report it to the SEC. A material cybersecurity event is an event that has a reasonable likelihood of causing substantial harm to the financial stability of the United States or to investors. Examples of events that could be material include, but are not limited to:
- A cyberattack that results in the unauthorized access to or theft of material confidential information
- An incident that causes a significant interruption of your normal operations
- A ransomware attack that impacts your business
- An incident that results in the unauthorized alteration, destruction, or loss of data
- An incident that triggers a significant market reaction, such as a decline in the value of the securities you advise
The SEC has stated that it will use the information it receives to better understand how advisers and funds manage cybersecurity risk, so it is important to report any significant events.
Document your cybersecurity risk management activities
You should also document all of your cybersecurity risk management activities, so you can prove that you have taken reasonable steps to mitigate risk. Based on the documents mentioned above, this documentation should include, but is not limited to:
- Your cybersecurity strategy;
- Policies and procedures related to cybersecurity;
- The results of any risk assessments;
- Details on how you implemented your policies and procedures; and
- Information on any incidents or attacks that occurred, as well as their impact.
The SEC may request this documentation as part of an examination or investigation, so it is important to have it available.
Cybersecurity should be a top priority for all businesses, and the SEC’s updated regulations provide helpful guidance on how to develop and implement a robust strategy. By following the recommendations in this article, you can protect your organization from cyberattacks and ensure that you are in compliance with SEC regulations.
With Privva, you can be confident that your cybersecurity risk management activities are in compliance with the SEC’s updated regulations. Privva is the leading provider of cybersecurity solutions for the financial services industry, and our solutions are designed to help organizations quickly identify and respond to cybersecurity threats. We provide actionable insights that allow firms to improve their cybersecurity posture and meet compliance requirements. To learn more, visit www.privva.com or www.entreda.com.