The alternative investment industry is awaiting a finalized ruling from the Securities and Exchange Commission (SEC) on new proposed cybersecurity rules that were originally introduced February 9, 2022 and will significantly impact firms cyber risk strategy.
On March 15, 2023, the SEC released an update on the proposed cybersecurity risk management rules and amendments (“proposed Rule 206(4)-9” and “proposed rule 38a-2”) for registered advisors and funds.
The SEC update accounts for material additions including proposed regulation for outsourcing of “covered functions,” extended scopes of applicability and proposed cybersecurity rules for broker-dealers and clearing agencies, amongst others. The material changes had led the SEC to reopen the comment period for an additional 60 days. The final decision had been pushed out, but Drawbridge has thoroughly analyzed the reporting requirements for likely final outcomes and will work with our clients to ensure readiness as soon as the regulation is finalized.
Firms should take steps today to exceed compliance standards ahead of the finalized SEC decision, including:
- Continuous vulnerability management to analyze network and endpoint vulnerabilities in real time.
- Cybersecurity training across the organization to empower employees to protect critical data by mitigating social engineering attacks.
- Cyber risk assessments to better understand cybersecurity risk and operational controls.
- Strengthening written policies and procedures on cybersecurity.
We have done a thorough sweep and analysis of expected SEC outcomes and will continue to work with our 1,000+ clients to inform their cyber risk strategy and ensure confidence in cyber posture ahead of the effective regulation date.
If your firm still has questions on how best to secure its cyber defenses ahead of the upcoming SEC guidelines on cybersecurity risk management, reach out to the Drawbridge team for our recommendations on how to prepare.
Note: This blog post was originally published in March 2023.
