SEC Proposes Cybersecurity Risk Management Rule

BusinessComplianceData GovernanceRisk ManagementSEC
Written By Jason Shoup

On February 9, Gary Gensler, Chair of the U.S. Securities and Exchange Commission (SEC), issued a statement on “comprehensive reforms to improve cybersecurity risk management for registered investment advisers, registered investment companies, and business development companies” that the SEC is considering implementing under a newly-proposed Cybersecurity Risk Management Rule.

According to Gensler, the rule would strengthen financial sector SEC registrants’ cybersecurity hygiene and incident reporting requirements, reduce the risk of “significant cybersecurity incidents,” and facilitate better decision making and information sharing across the financial sector.

Provisions of the Proposed Rule

According to the proposed rule, the SEC does not currently require firms to have a comprehensive cybersecurity program. As a result of the voluntary nature of the existing framework, the SEC has become concerned that many firms have not implemented such programs, increasing the risks posed to the firm and the financial sector as a whole.

Under the proposed rule, registered investment advisers and investment companies would be required to “adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks.” The proposed rule requires advisers and funds to adopt cybersecurity policies and procedures that will address operational risks and the harm that these risks could bring to industry clients, investors and the remainder of the financial industry. In addition to requiring these policies and procedures be implemented and maintained, the proposed rule enumerates several general elements that the policies and programs would be required to address. Here’s a breakdown:

Risk Assessments

Affected entities would be required to periodically “assess, categorize, prioritize, and draft written documentation” of the risks that their information systems and the information that they collect and retain pose to the cybersecurity of the firm. These risk assessments must be conducted in accordance with the procedures laid out in Section II(A)(1)(a)(i), (ii) of the proposed rules, and requires funds and advisors to categorize and prioritize cybersecurity risks and their potential impacts, and identify their service providers and those providers’ cybersecurity risks.

User Security and Access

Affected entities would be required to have “controls designed to minimize user-related risks and prevent unauthorized access to information and systems.” In order to ensure that this standard is met, the policies and procedure of the regulated entity must include:

  • an acceptable use policy governing the behavior of those authorized to access the organization’s information systems;

  • measures for identifying and authenticating individual users of the information systems;

  • procedures and limitations for the granting of said authorization access;

  • restricted access to the information systems, on a needs basis; and

  • secure remote access to the information systems.

Information Protection

Those with access to the information system must be required to “monitor information systems and protect information from unauthorized access of use” by utilizing an internal assessment process. The factors to be considered include:

  • the sensitivity and importance of the information retained in the information system;

  • determination of whether the information is personal;

  • means of access, storage, and transmission of information in the information system;

  • access controls and malware protection for the information systems; and

  • the potential effect of a cybersecurity incident on relevant parties

Threat and Vulnerability Management

Affected entities would be required to “detect, mitigate, and remediate cybersecurity threats and vulnerabilities with respect to adviser or fund information and systems.” This objective could be achieved by a system of ongoing monitoring, including scanning or reviewing the systems of internal and external users, and service providers, and monitoring industry and government sources for emerging or evidenced threats or vulnerabilities in the sector.

Cybersecurity Incident Response and Recovery

Affected entities would be required to design, implement, and maintain an incident response plan that will permit the organization to continue operations in the event of a cyber-attack. This plan should ensure continued operations, protection of the information systems and the information contained therein, and incident responses and reporting capabilities.

Annual Review and Required Written Reports

Affected entities would be required to review these cybersecurity policies and procedures annually to ensure its design and effectiveness is sufficient and write a written report in accordance with the terms of the proposed rule. The board of directors for the advisers and funds would approve cybersecurity policies and procedures, and review reports on cyber incidents. The proposed rule makes it clear that “board oversight should not be a passive activity.”

Recordkeeping

Affected entities would be required to maintain the following for a period of five years:

  1. “a copy of their cybersecurity policies and procedures formulated pursuant to proposed rule 206(4)-9 that are in effect, or at any time within the past five years were in effect;

  2. a copy of the adviser’s written report documenting the annual review of its cybersecurity policies and procedures pursuant to proposed rule 206(4)-9 in the last five years;

  3. a copy of any Form ADV-C filed by the adviser under rule 204-6 in the last five years;

  4. records documenting the occurrence of any cybersecurity incident, including any records related to any response and recovery from such an incident, in the last five years; and

  5. records documenting an adviser’s cybersecurity risk assessment in the last five years.”

Reporting of Significant Cybersecurity Incidents to the Commission

Affected entities would be required to report to the SEC “significant cybersecurity incidents” that affect those entities, as well as “on behalf of a client that is a registered investment company or business development company, or a private fund…that experiences a significant cybersecurity incident.”

Disclosure of Cybersecurity Risks and Incidents

Forms currently utilized by advisers and funds would be amended to require the “disclosure of cybersecurity risks and incidents to their investors and other market participants.” The current forms require the disclosure of cybersecurity risks, but these amendments would require disclosures be more direct so that risk can be more clearly understood, and to increase accountability of the regulated parties.

These updated disclosure requirements would include a “narrative description” of the cybersecurity risks that the advisers and funds face, how they assess and respond to these risks, and any significant incidents occurring in the past two years.

In addition to the mandatory program implementation under the proposed rule, the SEC is proposing a rule under the Advisers Act to implement reporting and disclosure requirements for advisers when a significant cybersecurity incident occurs that affects the adviser, its funds, or clients. If the proposed rules are approved by the SEC and go through a mandatory public comment period, the SEC would implement new recordkeeping requirements under the Advisers Act and Investment Company Act.

Key Takeaways

The SEC has recognized that a “one size fits all approach” isn’t feasible given the wide variations in size, resources, and sophistication, [of its registrants], but it clearly intends to hold all regulated entities accountable for compliance at some level.”

SEC Commissioner Allison Herren Lee, acknowledged and applauded the “more collective and collaborative approach among a variety of parties including the adviser, the fund board, and others,” in protecting the financial system from cybersecurity threats. According to Lee, these efforts should “build transparency, responsiveness and accountability.”

As such, advisers and funds should prepare themselves for a shift in regulatory oversight and compliance obligations with respect to cybersecurity.

Jason Shoup
Previous

China’s Amended Cybersecurity Measures Take Effect
Next

Exciting Changes For ADCG!