SEC Mulling New Cybersecurity Rules
Recently proposed SEC cybersecurity rules could affect how U.S. securities markets, including issuers, registrants, and service providers, approach compliance efforts.
If you work in the investment industry, changes could be coming to how your organization mitigates cyber risk.
The Securities and Exchange Commission proposed a series of cybersecurity rules last month that would require investment advisers and registered investment companies to adopt and implement written cybersecurity policies and have procedures in place to address cyber risk.
In addition, the SEC is proposing rules to require advisers to report significant cybersecurity incidents like hacks or ransomware attacks and roll out new new recordkeeping requirements that would mandate organizations have cybersecurity policies documented through the years on file, at the ready.
Gary Gensler, Chair of the U.S. Securities and Exchange Commission (SEC) hinted in January that changes like these were coming.
In a speech at Northwestern University Pritzker School of Law's annual Securities Regulation Institute conference, he told attendees that he'd asked his staff to provide sweeping rulemaking recommendations to bring the agency up to date with matters of cybersecurity.
"Cyber incidents, unfortunately, happen a lot. History and any study of human nature tells us they’re going to continue to happen. Given this, and the evolving cybersecurity risk landscape, we at the SEC are working to improve the overall cybersecurity posture and resiliency of the financial sector," Gensler said in the speech.
Some of those changes came February 9, when the SEC released its proposal including rules on enhancing cybersecurity risk management programs.
At 243 pages, it’s a lengthy document but there are really four major requirements the SEC is floating:
Cybersecurity Policies and Procedures
Under the first, Rule 206(4)-9, advisers and funds would have to adopt and implement written policies and procedures to address:
- risk assessment
- user security and access
- information protection
- cybersecurity threat and vulnerability management, and
- cybersecurity incident response and recover
Advisers would have to ensure the policies are effective and prepare a report each year summarizing why, along with an explanation of any incident it had to deal with.
Disclosures of Cybersecurity Risks and Incidents
Under another proposed rule, 204-6, advisers would have to submit a form – a Form ADV-C - to notify the SEC no more than 48 hours after a significant cybersecurity event.
"This reporting would help us in our efforts to protect investors in connection with cybersecurity incidents by providing prompt notice of these incidents. We believe this proposed reporting would allow the Commission and its staff to understand the nature and extent of a particular cybersecurity incident and the firm’s response to the incident," the SEC wrote in its proposal, “this reporting would not only help the Commission monitor and evaluate the effects of the cybersecurity incident on an adviser and its clients or a fund and its investors, but also assess the potential systemic risks affecting financial markets more broadly.”
Regulatory Reporting of Cybersecurity Incidents
Along those lines, the SEC is also trying to make it so advisers can better communicate incidents to their investors and other members of the market.
Additional newly proposed amendments would require advisers to describe cybersecurity risks that could affect their services "in plain English." The idea is that not knowing this information could affect an adviser’s advisory relationship.
In the eyes of the SEC, the move is designed to "enhance investor protection by ensuring cybersecurity risk or incident-related information is available to increase understanding and insight into an adviser’s or fund’s cybersecurity history and risks.”
The last major change, rule 204-2, would require advisers – investment advisers registered or required to register with the Commission under section 203 of the Advisers Act - to keep records of its policies and procedures, along with any reports provided to the Commission, for at least five years.
Another potential rule, 38a-2, would require funds maintain copies of the following information:
- copies of written reports provided to its board;
- records documenting the fund’s cybersecurity review;
- any report of a significant fund cybersecurity incident provided to the Commission by its adviser that the proposed rule would require;
- records documenting the occurrence of any cybersecurity
- incident, including records related to any response and recovery from such an incident; and
- records documenting a fund’s cybersecurity risk assessment
While the proposed rules aren’t close to being enacted yet – the SEC is still taking comments on the rules until April 11 – it certainly wouldn’t hurt for any organizations that may fall under the SEC’s jurisdiction to consider making changes to how it complies with some of them. Gensler stressed that he wanted the SEC to take into consideration cyber hygiene guidance recently issued by Cybersecurity and Infrastructure Security Agency and these rules could mark the first step in doing so.