The SEC proposed new cybersecurity risk management rules, including changes that would require “both advisory and funding to create policies and procedures appropriately designed to address cybersecurity risks,” according to the commission “
“Registered investment advisors, investment companies and business development companies currently have to comply with a variety of regulations that may affect their cybersecurity practices, such as books and records, compliance and business continuity rules,” said SEC Chairman Gary Gensler. about the proposed rules. , “Today’s release is based on those requirements.”
Along with Commissioners Alison Herren Lee and Carolyn Crenshaw, Gensler was a supporter of the proposed new set of rules, while Commissioner Hester Peirce was not in favor.
According to Gensler, New Rules Additional recordkeeping obligations would be required for both advisors and private funds, and would require advisors to confidentially report certain “significant” cyber incidents to the SEC. They will also demand that advisors and funds disclose certain types of cybersecurity incidents to clients and investors.
While advisors are currently required to provide disclosure on practices, fees, risks and conflicts as a part of their Form ADV, the new rules will amend Part 2A of the form to require advisors to disclose cybersecurity risks and incidents. Ho. Gensler hoped that the reforms would reduce cybersecurity risks for all registrants.
“I believe they can provide clients and investors with better information with which to make decisions, create incentives to improve cyber hygiene, and provide the Commission with greater insight into the cyber risks of intermediaries,” he said. .
In the proposed rule, the SEC defines a “significant” cyber incident as one that “impedes or degrades an advisor’s ability to maintain significant operations” that could cause substantial harm to the advisor or clients. For example, if a consultant cannot access their internal computer systems because of a malware shutdown, this may reduce their ability to provide client services, perhaps for days or weeks. Significant loss to a customer is one that leads to “significant monetary loss or theft of personally identifiable or proprietary information,” according to the SEC.
The commission’s proposal requires firms to report these violations to the SEC within 48 hours to help monitor the effects on advisors and clients. Multiple similar complaints in a short time frame can also indicate a wider problem.
Last Fall, the Commission’s Enforcement Division Eight firms accused of lack of cyber security Failed to protect customers’ private information after bad actors were able to take over companies’ email accounts. After the breaches were announced, several cyber experts questioned the commission’s exclusivity, Arguing that the Commission needs to be clear What was its need for firms in the first place.
In a statement supporting the proposed rules, Lee argued that some measures have led to a nearly 70% increase in “data compromise” since 2020, while Crenshaw noted that the G20 has recently prioritized cyberattacks. stating that they could “disrupt financial services critical to both the national and international financial systems.” Lee approved a 48-hour notification timeline for advisers to notify the Commission about the cyber incident. Granted, but said there was no specific time attached for conveying to the customers.
“Instead such notification would need to be made ‘immediately’. Should investor notification be linked to a more discrete time frame to ensure timeliness?” he asked. Need to know information?”
In his criticism of the proposed rules, Peirce acknowledged that cybersecurity was a “uniquely challenging” threat, and found that the release was balancing the need to inform both the Commission and customers about cybersecurity incidents, including There was concern about the mandate for “over-disclosure”. But Pearce cautioned that a successful cyberattack on an advisor, firm or fund does not necessarily mean that the firm has made a mistake in its cyber security preparedness.
“We must be ready to provide advisors and funds to assist us in the fight against cyber attackers,” Pearce said. “Absent circumstances that suggest a deliberate or reckless neglect of known vulnerabilities by the firm, we must resist the temptation to pile up with an enforcement action following the breach.”
The proposed rules will be published on both the SEC site and the Federal Register, and the public comment period will be open for a longer period of 60 days after its publication on the site or 30 days after its publication in the Register.