With the SEC’s “Cybersecurity Risk Management for Investment Advisors” rule still awaiting their final approval, they have released a significant update to the Department of Examination’s priorities for 2024. The publication comes with some interesting focal points for cybersecurity that help shape the direction we can expect in the final ruling.
First, there is a definitive shift to establish “operational resilience” as a goal for SEC registered funds. The SEC, and the industry at large, recognize the risk that operational interruptions can bring to a firm. Operational outages can result from ‘traditional’ cyber incidents like hardware outages or ransomware events, as well as risks related to a dispersed workforce and intense weather-related disruptions. A Firm’s incident response plan and business continuity planning are designed to proactively address these risks.
The second focal point has to do with third party risk and vendor due diligence. Being able to address the cybersecurity risks in all kinds of technology solutions, whether they be on premises on or on the cloud is an aspect of SEC compliance.
The SEC’s Department of Examination clearly state that oversight of third-party vendors is one of their 2024 priorities. Make sure your firm takes the appropriate steps to identify and mitigate risks if one of your third-party vendors is impacted by a cyber attack.
The department includes topics that form the core of the proposed cyber rule. Policies and procedures, staff awareness training, internal controls, governance, reporting, and the protections around personally identifiable information all remain and clearly under the spotlight.
All said, the examination priorities give little doubt that cyber remains incredibly important and they demonstrate a clear path that follows the proposed rule requirements. Firms that have prepared based on the expectations of the new rule should be in good standing while those that have waited for the final ruling could be behind the Departments of Examinations standards.
Are you ready for the upcoming final SEC cyber rule? Schedule a free 30-minute cyber review with one of our team members to quickly run through a checklist of what the SEC expects you to implement.
Author: Simon Eyre, Drawbridge CISO
