The SEC Gets Real with Investment Advisers and Funds About Their Cyber Hygiene

Acknowledging the severity of cyber risks, the SEC in early February proposed new cybersecurity risk management rules and amendments for registered investment advisers, registered investment companies, and funds.

Thanks to law firms, management consultants, and other SEC watchers, in-depth analyses of the proposed changes are readily accessible online. These reports do a good job of walking readers through the specifics of the new regulations, chapter and verse. Examples of these distillations are available herehere, and here.

Leaving details aside for the moment, the proposed rules include four major changes. If the changes are adopted as written, here are the big new compliance wrinkles that RIAs and funds will need to smooth out.

  • Policies – Develop, adopt, and implement formal, written policies and procedures for addressing cybersecurity risks.
  • Reporting – Produce and deliver to the SEC detailed reports on any significant cybersecurity incidents within 48 hours of their occurrence or detection.
  • Disclosure – Strengthen and expand investment adviser and fund disclosures of cybersecurity-related risks and incidents.
  • Recordkeeping – Maintain 5 years’ worth of records on:  cybersecurity policies and procedures; annual reviews of cybersecurity preparedness and response capabilities; all relevant regulatory filings; reports on incidents; and cybersecurity risk assessments.

What the detailed analyses (linked to above) generally don’t do is take a step back to gain a broader perspective on what the SEC is really trying to accomplish here – and what that means operationally for investment advisers and funds.

First, let’s clarify what the SEC is not doing with these proposed changes. They’re clearly not mandating adoption or implementation of any specific technologies, controls, or practices across the traditional cybersecurity program buckets of identification, prevention, detection, and response/recovery. The SEC isn’t serving up specific operational checklists like those in NIST 800-53 or PCI DSS.

However, the SEC is becoming a bit more prescriptive as compared to its existing cybersecurity guidance. One example is more stringent requirements for safeguarding information. The bottom line, according to one prominent law firm, is that the proposed rules “would require most registered advisers to implement enhancements to their cybersecurity programs.”

But what enhancements, exactly?

Investment operations pros and compliance officers at RIAs and registered fund companies are eager to get more specifics about what the SEC will expect of them on the cybersecurity front. The answer will vary from firm to firm given their present cybersecurity program and resources. But what will the new direction be, and how should funds start reshaping their cybersecurity programs now? After all, nobody wants to be behind the curve when the new regulations take effect.

As is always the case in these situations, figuring out what the SEC’s must-haves and nice-to-haves will be, in advance of the actual rules being published, requires some “reading the tea leaves.”

A good place to start looking at what the SEC’s leadership is saying publicly about the topic. Here’s a quote from SEC Chair, Gary Gensler, from the February 9th press release announcing the proposed changes. “The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.”

The key words from Mr. Gensler’s quote are “cybersecurity preparedness” and “resiliency.” That speaks to the SEC’s intended emphasis areas. A simple view of cybersecurity is that roughly half of the overall “identify, prevent, detect, respond” activity happens before cyber threats turn into attacks. This includes everything related to preparedness, and much of the resiliency piece of the puzzle as well (i.e., having sound plans in place about exactly what to do when attacks occur).

The other half of the cybersecurity realm is the active response, remediation, and recovery capabilities, which are obviously critical components of any cybersecurity regimen.

But it seems that with this new slate of proposed rules, the SEC wants advisers and funds to focus more on the “before” aspects of this challenge – preparedness, and let’s call it resilience planning, or continuous vulnerability management.

The fact is, across the financial services industry, significant investments have been made in technology that finds, alerts on, and takes action when bad stuff is happening (think application security, network monitoring and management, intrusion detection, security information and event management, etc.).

Perhaps SEC officials are channeling their inner Benjamin Franklin and saying via these new regulations that “An ounce of prevention is worth a pound of cure.” Whatever the reason, when these new rules go into effect, the SEC will be zooming in on advisers’ and fund companies’ cybersecurity preparedness and resiliency.

The agency says as much in its 2022 Examination Priorities document. Published each year by the agency’s Division of Examinations, it’s the annual “heads up” the SEC gives to compliance officers, Board directors, and company executives about areas they are prioritizing in examination processes.

In this year’s edition, the SEC cites “Information Security and Operational Resiliency” as one of just four “Significant Focus Areas” for 2022.

One key passage is the following:

“Failing to prevent unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of sensitive records may have consequences that extend beyond the firm compromised to other market participants and retail investors. Accordingly, the Division will review broker-dealers’ and RIAs’ practices to prevent interruptions to mission-critical services and to protect investor information, records, and assets.”

Again, there’s that emphasis on effective prevention – which can only come from solid preparedness in the “before” part of the equation.

The document goes on to give some specificity about what the SEC will be looking for from advisers and funds in this area.

“Specifically, EXAMS will continue to review whether firms have taken appropriate measures to: (1) safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access; (2) oversee vendors and service providers; (3) address malicious email activities, such as phishing or account intrusions; (4) respond to incidents, including those related to ransomware attacks; (5) identify and detect red flags related to identity theft; and (6) manage operational risk as a result of a dispersed workforce in a work-from-home environment.”

Furthermore, in an apparent response to recent, sophisticated – and successful – supply chain attacks, the new rules include implicit guidance that advisers and fund companies (indeed all investment companies) will be required to take greater ownership of cybersecurity responsibilities across their service provider and partner networks, and with any company with which their operations are intermingled. This new requirement could have major operational ramifications for private equity firms relative to their portfolio companies.

In addition to the proposed cybersecurity rules and the SEC’s stated Examination Priorities, the Commission announced in May that it has added 20 positions “to the unit responsible for protecting investors in crypto markets and from cyber-related threats. The newly renamed Crypto Assets and Cyber Unit (formerly known as the Cyber Unit) in the Division of Enforcement will grow to 50 dedicated positions.” The added positions include “supervisors, investigative staff attorneys, trial counsels, and fraud analysts.” It is clear that the SEC is scaling up its ability to monitor and respond to cybersecurity (and cryptocurrency-related) threats.

Regardless of how the details play out, it’s a smart move for RIAs and funds to take a long, hard look at what plans, programs and resources they have in place that directly address their firm’s cybersecurity preparedness. When rolled up, do those resources tell a strong story? Strong enough to hold up in an SEC examination session?

If executives or compliance officers don’t know the answer, it’s time they found out. A comprehensive assessment is the logical place to start.

There’s one other note that’s important to mention. As referenced above, many firms and funds may have made large investments on their mitigation/response/recovery capabilities, but perhaps are a little light or have gaps on the preparedness side. That’s okay because there are solutions available (Drawbridge’s offerings are among them) that can essentially leverage and integrate with a company’s existing cybersecurity infrastructure while simultaneously bolstering any weaknesses on the preparedness side. No “rip & replace” required.

Twists and turns, and wins and losses surely await any investment adviser or fund that gets tagged by the SEC for examination. Firms should recognize the agency’s motivation for elevating this focus area, and understand (to the degree possible) the SEC’s expectations around the new rule. It’s also important that they initiate action now to align their cybersecurity preparedness and resiliency programs and resources with those expectations.

Starting down this path now could well save firms enormous amounts of stress, extra compliance work, and potential fines and reputational damage down the road. Plus, for advisers’ and funds’ investors, employees, partners, and other stakeholders, it’s simply the right thing to do.