If you are an investment adviser, registered investment company, and/or business development company, you may have new cybersecurity control requirements to comply with moving forward. Read on to see what’s changing – and how those changes might affect you.
Earlier this year, the U.S. Securities and Exchange Commission (SEC) proposed new rules under the existing Investment Advisers Act of 1940 and the Investment Company Act of 1940. These rules require registered investment advisers (“advisers”) and investment companies (“funds”) to adopt and implement improvements to their cyber risk management and security programs. Currently in the review phase, it is anticipated that these changes will be adopted in some form over the next year.
The changes were prompted by the SEC ’s direct concerns about the efficacy of adviser and fund organizations’ security practices. In its overview of the rules proposal, the SEC states, “While some funds and advisers have implemented cybersecurity programs under the existing regulatory framework, there are no Commission rules that specifically require firms to adopt and implement comprehensive cybersecurity programs. Based on our staff’s examinations of advisers and funds, we are concerned that some funds and advisers that are registered with us have not implemented reasonably designed cybersecurity programs. As a result, these firms’ clients and investors may be at greater risk of harm than those of funds and advisers that have in place appropriate plans to address cybersecurity risks.”
The proposed new requirements can be broken down into 5 key areas of cybersecurity program development. The highlights of each of these areas are summarized below to help you understand how these new requirements may affect your organization:
Cyber Program Governance
The proposed SEC rules give advisers and funds the flexibility to design their cyber program based on the particular cybersecurity risks posed by their unique size, operational structure, and business practices. That’s the good news. In order to achieve this, however, firms will have to implement a risk management strategy that includes performing continuous risk assessments, and understand their unique threat profiles and organizational risk tolerance levels. The designation of a person or group of people to implement and oversee the effectiveness of the cybersecurity program will allow firms to determine if the optimal cybersecurity strategy is to have onsite security staff or to leverage third-party cybersecurity experts, such as CISO advisory services.
Development of a Risk Management Program
Under the proposed new rules, advisers and funds will need to have a risk management program in place. Requirements include performing periodic risk assessments of their information systems and the results documented and presented to senior level management as part of their required oversight of security risk to the organization. In addition, advisors and funds also will be required to have a process for conducting third-party and supply chain risk to identify the cybersecurity risks associated with the use of service providers.
This area is the most comprehensive and requires firms and advisors to design and implement a cybersecurity program that is resilient to a cyber incident. Cyber resilience is defined as the ability of an organization to continuously deliver its intended mission by preparing for, responding to, and recovering from cyber threats. To achieve this resilience, advisors and funds would need protection technologies implemented across their systems, capabilities to monitor, detect, assess, and remediate threats and vulnerabilities across their environment, and the ability to respond and recover from any detected threats in order to continue or resume business operations.
Cybersecurity Incident Response and Recovery
Following along the lines of resilience, advisors and funds would be required to develop an incident response and recovery process designed to ensure continued operations and the protection of, and access to, sensitive information and data. The plan would need to have a clear escalation protocol to ensure that their senior officers, appropriate legal, compliance personnel, and board are informed. The rule also requires that the plan is tested periodically to assess its efficacy and to determine whether any changes are necessary, for example, through tabletop or full-scale exercises.
Fund Board Oversight
The proposed rules would require the organizations’ board of directors to have continuous oversight of the cyber program including the initial approval of cybersecurity policies and procedures. Board oversight also would entail ongoing and active review of cybersecurity incidents and any material changes to the cybersecurity program at least annually.
The rule changes the SEC is proposing are in line with regulations in other industries, and essentially require that adviser and fund organizations build out a comprehensive security strategy. There is nothing in this plan that is excessive given the increased number of threats and advanced set of adversaries in an evolving threat landscape.
Implementing an effective cybersecurity program has its challenges, from the complexity and costs of multiple point solutions that don’t work well together to a global shortage of specialized talent. Still, it is possible to strengthen your security posture and prepare to meet the requirements of the pending new SEC rules. The guidance of a trusted security partner can help you navigate the challenges – an easier and more efficient approach to preparing for compliance with the proposed rules than traveling the path alone.
If you are preparing for the new SEC proposed rules, SilverSky can help. Visit our solutions page to see our full set of managed services that will strengthen your security posture.