The SEC has proposed new rules for cyber risk management for investment advisers and funds. The public comment period has already closed, and the final version of the rules is expected soon.
Make no mistake: The new rulemaking doesn’t represent an idle threat. In August 2021, the SEC sanctioned eight firms for failures in their cybersecurity policies and procedures. Clearly, the agency is taking cybersecurity enforcement seriously.
Two key aspects of the rules are cyber incident disclosures and board responsibility for cybersecurity. Let’s take a deep dive on these issues to understand the SEC’s thinking.
INCIDENT REPORTING AND DISCLOSURE
Reporting of cyber incidents used to be a gray area for the SEC. If a cyber event didn’t appear to be directly detrimental to clients, firms weren’t required to report it.
With the new rulemaking, that has changed. Firms will now have to report to the SEC and disclose to clients any “significant” cyber incident. The SEC defines a significant incident as any cyber event that results in substantial harm or disruption of critical operations for the adviser or its clients. This is one of the most consequential elements of the SEC rules, as it calls for a level of transparency and process the SEC hasn’t specifically required before.
Reportable cyber incidents can be grouped in two broad categories. One involves the interruption of critical operations. The other involves the exposure of confidential information such as customer data, employee data or business intelligence. Reporting of the event must occur within 48 hours of discovery. That means you’ll need a detailed and tested process, with clear roles and responsibilities, so you can report promptly and accurately.
In fact, reporting should be part of your broader incident response plan. You should document who will lead the response and which team members will perform which response actions. You should also have a process for reporting to not only the SEC but also your local FBI office as well as your board of directors.
Reporting to the SEC will be handled through a confidential process. But the SEC will also require that firms publicly disclose both cyber risks and cyber incidents to clients and the SEC in brochures and registration statements.
CYBERSECURITY RESPONSIBILITY AND ACCOUNTABILITY
Another key goal of the new SEC rulemaking is to strengthen responsibility and accountability for cyber risk management. This accountability extends to your board of directors.
Your board must now review and approve all cyber-related policies and procedures. It should also accept ultimate responsibility for the health of your cyber program. That will force implementation and maintenance of your cyber framework across the firm.
A key enabler of board accountability is a procedure to promptly inform the board of cyber incidents. Equally important is a process to keep the board apprised of your cybersecurity posture, including vendors that handle firm data. Establish metrics for cyber risk management, measure against them, and report to the board in a clear, consumable manner on a monthly, quarterly, and annual basis.
Your board will also be responsible for understanding the cyber risks that exist in your market and the best practices for addressing them. This is a new level of engagement that not all boards will be prepared for. Work with your board members to bring them up to speed.
Compliance with the new SEC rules will take focus and effort. The good news is that the rules represent best practices for safeguarding your information assets and your business – and should be implemented regardless of the final rules the SEC imposes.
WANT TO LEARN MORE? DOWNLOAD OUR IN-DEPTH WHITE PAPER, “NEW SEC RULES FOR CYBERSECURITY RISK MANAGEMENT: HOW INVESTMENT ADVISERS AND FUNDS SHOULD RESPOND TODAY.”
