New Cybersecurity Rules proposed by the SEC for Registered Funds and Investment Advisors

In a previous article I wrote about the SEC rules for publicly traded companies that are going into effect this week, Dec 18th, 2023.   This article is about proposed rules specifically for Registered Funds and Investment Advisors.   The rules proposed here are much more specific and RIAs need to start preparing for this now.

The SEC has been much more active in the area of Cybersecurity in the past few years and all indications are that this will continue.  The government in general is realizing that protecting businesses from cyber attacks is critical to our economy and many agencies are formalizing their rules.   Although no one likes regulation when they are the target of it, sometimes it is for our own good.   This may be one of those occasions.    So, let’s see what it is all about and get plans ready to be compliant for our own good before were are forced to do it.  That way when any regulation takes effect, we will be ready and won’t have to complain too much.

Overview of the Rule Proposal 

While some rules already in place such as Regulation S-P require RIA’s to implement security plans, currently there are no Commission rules that specifically require firms to implement cybersecurity programs.  The SEC is concerned that although many firms have implemented plans, others have not.  The intent of the proposed rule is to ensure that more firms have a reasonable plan.   These proposed rules intend to provide more specific guidance.

The proposed rule would also require that at “least annually, all firms to review and evaluate the design and effectiveness of their cybersecurity policies and procedures, which would allow them to update them in the face of ever-changing cyber threats and technologies” (from the proposed rule – cited below)  The rule also proposes that firms be ready to “report significant cybersecurity incidents affecting the adviser, or its fund or private fund clients, to the Commission on a confidential basis.”

Currently the rules are open for comment and some of the things the commission is requesting comments on are as follows:

  • Should we exempt certain types of advisers or funds from these proposed cybersecurity risk management rules?
  • Should we scale the proposed requirements based on the size of the adviser or fund?  
  • Are the proposed elements of the cybersecurity policies and procedures appropriate?  Should we modify or delete any of the proposed elements?  Why or why not?
  • Should there be additional or more specific requirements for who would implement an adviser’s or fund’s cybersecurity program?
  • Would advisers and funds expect to use sub-advisers or other third parties to administer their cybersecurity programs?  If so, to what extent and in what manner?  Should there be additional or specific requirements for advisers and funds that 32delegate cybersecurity management responsibilities to a sub-adviser or third party?  If so, what requirements and why?
  • Should we include any other cybersecurity program administration requirements?
  • Are the proposed rules’ definitions appropriate and clear?
  • What are best practices that commenters have developed or are aware of with respect to the types of measures that must be implemented as part of the proposed cybersecurity risk management rules or, alternatively, are there any measures that commenters have found to be ineffective or relatively less effective?  
  • What user measures do advisers currently have for using mobile devices or other ways to access adviser or fund information systems remotely?  Should we require advisers and funds to implement specific measures to secure remote access technologies?  
  • Do advisers and funds currently conduct periodic assessments of their information systems to monitor and protect information from unauthorized use?  If so, how often do advisers and funds conduct such assessments?  Should the proposed rules specify a minimum assessment frequency, and if so, what should that frequency be?
  • Should we require that advisers and funds respond to cybersecurity incidents within a specific timeframe?
  • Should there be additional, fewer, or more specific requirements for the annual review or written report?
  • Should the annual review include whether the cybersecurity policies and procedures reflect changes in cybersecurity risk over the time covered by the review?  

There are still more questions that are asked, you can see them all in the link to the proposal below.

The question of who exactly will be covered by these new rules is still open for discussion but will be defined before the rules are in effect.  You can see that the rules are by no means complete, however, it would do all RIAs well to understand and implement certain safeguards now even if they are not ultimately required to do so.  We think these are standard best practices that will eventually be required one way or the other for all businesses.  

The rules outlined in the FTC article I wrote earlier are a good starting point.  If you compare those to the brief outline here, you will see that they are similar.   We here at ITSG are updating our security services and plans to directly address all these issues.   This is why we update our standard security offerings each year.

Here is an outline of what is being proposed:

  1. Required Elements of Advisers’ and Funds’ Policies and Procedures
    1. Risk Assessment 
  1. Categorize and prioritize cybersecurity risks based on an inventory of the components of their information systems, the information residing therein, and the potential effect of a cybersecurity incident on the advisers and funds.
  1. Identify their service providers that receive, maintain or process adviser or fund information, or that are permitted to access their information systems, including the information residing therein, and identify the cybersecurity risks associated with the use of these service providers.
  1. User Security and Access  
  1. Requiring standards of behavior
  2. Identifying and authenticating individual users
  3. Establishing procedures for the timely distribution, replacement, and revocation of passwords or methods of authentication
  4. Restricting access to specific adviser or fund information systems or components based on need to know.
  5. Securing remote access technologies used to interface with adviser or fund information systems.
  1. Information Protection – make policies and procedures that take into account:
  1. The sensitivity level and importance of adviser or fund information to its business operations
  2. Whether any adviser or fund information is personal information
  3. Where and how adviser or fund information is accessed, stored and transmitted, including the monitoring of adviser or fund information in transmission;
  4. Adviser or fund information systems access controls and malware protection
  5. The potential effect of a cybersecurity incident involving adviser or fund information on the adviser or fund and its clients or shareholders, including the ability for the adviser to continue to provide investment advice or the fund to continue providing services
  1. Threat and Vulnerability Management – Policies and Procedures designed to detect and mitigate and remediate cybersecurity threats and vulnerabilities.   This means ongoing vulnerability assessments and remediation.
  1. Cybersecurity Incident Response and Recovery – plans to ensure:
  1. Continued operations of the fund or adviser
  2. The protection of adviser information systems and the fund or adviser information residing therein
  3. External and internal cybersecurity incident information sharing and communications.
  4. Reporting of significant cybersecurity incidents to the Commission
  5. An incident response plan should also designate adviser or fund personnel to perform specific roles in the case of a cybersecurity incident.
  6. Have a clear escalation protocol to ensure that an adviser’s and fund’s senior officers, including appropriate legal and compliance personnel, and a fund’s board (as applicable) receive necessary information regarding cybersecurity incidents on a timely basis.
  7. Have a clear escalation protocol to ensure that an adviser’s and fund’s senior officers, including appropriate legal and compliance personnel, and a fund’s board (as applicable) receive necessary information regarding cybersecurity incidents on a timely basis.
  1. Annual Review and Required Written Reports
  1. Review and assess the design and effectiveness of the cybersecurity policies and procedures.
  2. Prepare a written report.  The report would, at a minimum, describe the annual review, assessment, and any control tests performed, explain the results thereof, document any cybersecurity incident that occurred since the date of the last report, and discuss any material changes to the policies and procedures since the date of the last report
  3. Fund Board Oversight  
  1. Record Keeping
  1. a copy of their cybersecurity policies and procedures
  2. a copy of the adviser’s written report documenting the annual review of its cybersecurity policies and procedures
  3. a copy of any Form ADV-C filed by the adviser under rule 204-6 in the last five years
  4. records documenting the occurrence of any cybersecurity incident
  5. records documenting an adviser’s cybersecurity risk assessment in the last five years
  1. Incident Reporting – there are very specific rules proposed for incident reporting but also many questions on how this will be required.

As you can see there are a lot of requirements being proposed and many questions still to answer before the rule is finalized.  The key takeaway here is that the SEC wants RIAs to have a comprehensive security plan in place that protects, detects, mitigates, and manages security risks.  The prudent course of action at this point is to start creating, implementing, and enhancing a security plan now.   Once the rules are out, you will most likely only have to make minor adjustments to it to be compliant.   You will also have the benefit of knowing you are doing all you can to prevent an incident that could hurt your business and your customers.

If you would like to discuss your exact situation with us, please contact or message me and I will be happy to discuss this with you.

This article is taken from the SEC Proposed rule for RIAs – link https://www.sec.gov/files/rules/proposed/2022/33-11028.pdf

Related Posts

I.T. Services Group, LLC

Philadelphia Office
100 Granite Drive, Suite 4
Media, PA 19063

Tel: (484) 443-4000

Fax: (413) 254-5828

Copyright ©2024 ITSG - I.T. Services Group. All rights reserved. Web Design by Media Proper