The SEC’s Proposed Rule: Cybersecurity Risk Management for Investment Advisers and Funds

What’s in the proposed rule for investment advisers and funds?

The Securities and Exchange Commission (SEC) has proposed a new rule that would make it a requirement for investment advisers and funds to adopt and implement written cybersecurity policies and procedures that tackle cybersecurity risk. The proposed rule also would require advisers and funds to report significant cybersecurity incidents to the SEC and to maintain certain records related to cybersecurity.

The SEC has found that investment advisers and funds are increasingly being targeted by cybercriminals, and that these attacks can have a significant impact on investors and the financial markets. As such, the proposed rule would require investment advisers and funds to address the following key elements in their cybersecurity policies and procedures:

• Risk assessment: Advisers and funds must periodically assess their cybersecurity risks and identify the information and systems that are most critical to their operations.
• User security and access requirements: Advisers and funds must implement policies and procedures to ensure that only authorized individuals have access to their information and systems.
• Information protection: Advisers and funds must implement policies and procedures to protect their information from unauthorized access, use or disclosure.
• Cybersecurity threat and vulnerability management: Advisers and funds must implement policies and procedures to detect, mitigate, and remediate cybersecurity threats and vulnerabilities.
• Cybersecurity incident response and recovery: Advisers and funds must implement policies and procedures to respond to and recover from cybersecurity incidents.

Advisers and funds would also be required to report any significant cybersecurity incidents to the SEC within 48 hours of concluding that such an incident has occurred or is happening in the present. Significant cybersecurity incidents are defined as incidents that have a material impact on the adviser or fund or its clients or shareholders.

In addition, the proposed rule would require advisers and funds to maintain certain records related to cybersecurity, such as copies of their cybersecurity policies and procedures, records of cybersecurity incidents and records of their cybersecurity risk assessments.

The SEC plans to meet in October for a vote to finalize the proposed rule.

Why should cybersecurity risk management be a priority for investment advisers and funds?

Investment advisers and funds hold a significant amount of sensitive information about their clients and investors, such as names, addresses, Social Security numbers, investment account information and financial assets. This information is a valuable target for cybercriminals, who can use it to commit identity theft, fraud and other financial crimes.

Cybersecurity incidents can also have a significant impact on investment advisers and funds themselves. For example, a cyberattack could disrupt their operations, damage their reputation, or result in financial losses.

What are the key elements of a cybersecurity risk management program?

A comprehensive cybersecurity risk management program should include the following elements:

• Risk assessment: The first step in developing a cybersecurity risk management program is to conduct a risk assessment to identify the specific cybersecurity risks that the organization faces. This assessment should consider the organization’s assets, systems, and operations, as well as the external threat environment.
• Cybersecurity policies and procedures: Once the organization has identified its cybersecurity risks, it should implement policies and procedures to manage those risks. This may include patching software vulnerabilities, implementing security controls and conducting security awareness training for employees.
• Incident response: The organization should also have a plan in place to respond to cybersecurity incidents. This plan should include specific steps to identify, contain, eradicate and recover from incidents.
• Business continuity: The organization should also have a business continuity plan in place to ensure that it can continue to operate in the event of a cybersecurity incident or other disruption.

What are the key takeaways and next steps for investment advisers and funds?

If the proposed rule becomes final, investment advisers and investment companies will be required to adopt and implement written cybersecurity policies and procedures to address cybersecurity risk, requiring significant cybersecurity incidents affecting the investment advisor or the funds to be reported to the SEC. Some may need to immediately update their recordkeeping policies and internal review requirements.

Next steps to prepare for compliance to the proposed rule (assuming it becomes final in October) include the following:

1. Engage a qualified advisor to help you with a cybersecurity assessment to understand your current practices and gaps.
2. Adopt an industry-recognized security framework, such as NIST CSF or the CIS Controls.
3. Develop written policies and procedures that address information security, incident response plans, business continuity plans and disaster recovery plans.
4. Create a remediation roadmap to implement good industry practices.
5. Implement ongoing cybersecurity program monitoring with periodic reporting to leadership and/or the Board.

Windham Brannon Can Help

Adopting and implementing a comprehensive cybersecurity risk management program is a critical issue for investment advisers and funds. Windham Brannon’s cybersecurity professionals can help you understand the implications of the SEC’s proposed rule and how to develop strategies for better cybersecurity if and when the October vote makes the rule final. For questions or more information, contact your Windham Brannon advisor today.