Top 7 Focus Areas from the SEC’s Cybersecurity Rules & Amendments Proposal
On February 9, 2022, the SEC published new proposed rules and amendments for registered investment advisors and funds as it relates to cybersecurity risk management. This is a new stake in the ground for the SEC when it comes to cybersecurity regulations and enforcement, and one that will have an incredible impact on processes, procedures and technology in the financial industry.
The big question is: What do firms need to do under the proposed rules?
Our team carefully analyzed the 250+ page proposal and outlined below are the key areas that will be mandatory for firms to assess, document, improve and act on their cybersecurity risk management.
1. Review Written Cybersecurity Plans, Policies and Procedures
One of the key areas of the proposal is the formalization of cybersecurity policies and procedures. Firms will need to fully review and document robust cybersecurity risk plans, which will involve assessing, categorizing and prioritizing their unique risks, as well as classifying data sets. Firms will also need to identify critical service providers that have access to their data.
The SEC proposal also notes that these documented plans, policies and procedures will need to be reviewed annually and updated upon any significant change to the business that would impact cybersecurity risks. Additionally, the documentation must be kept and easily retrievable for two years and archived for five.
2. Review, Document, and Enforce Access Management Best Practices
Access management is another primary theme to the SEC’s proposal, effectively making ‘best practices’ into SEC policy. Firms will need to set and enforce an Acceptable Use Policy governing standards of behavior for authorized users. They will also need to implement Multi-Factor Authentication (MFA) without SMS based requests and actively monitor for lockouts or failed login attempts. With these also come the need for compliant password policies, least privilege access policies and remote access technology reviews – all of which need to be vetted and updated periodically.
Most of these policies will require IT support and management, for example, mobile device management and endpoint protection software, digital rights management, as well as new process adoption and training.
3. Employ Information Protection Systems and Policies
Related to access management, the proposal outlines requirements for firms to monitor and protect information from unauthorized access based on some new and more specific parameters. For the applicable data sets, these include sensitivity level, importance to operations or to maintain confidentiality, integrity and availability. The proposal also notes that monitoring and protection of information needs to extend to when information is transmitted. It goes on to prescribe methods to be used, including encryption, network segmentation, access controls, and automation or tools to detect and prevent threats. The rules also enhance a firm’s vendor management processes, requiring firms to understand and document vendor access, and contractually requiring vendors to meet security standards and requiring vendors to report incidents.
4. Threat and Vulnerability Management
To adequately manage threats and vulnerabilities under the new rules, firms will need to conduct periodic vulnerability scans and penetration tests to determine risks, as well as implement patch management processes. They will also need to track, prioritize, and remediate reported or known vulnerabilities.
5. Cybersecurity Incident Response Planning and Recovery
Incident response plans and recovery procedures will need to be created to govern how a firm will act in the event of an incident, such as a breach or attack. Firms will need to develop and document a plan, as well as test their response plans via activities like tabletop exercises. Firms that are reliant on vendors to provide customer facing information need to identify ways to operate without those vendors by being able to conduct manual processes or provide the data to client’s in an alternative means.
6. Cybersecurity Reporting and Incident Reporting & Disclosure
One of the most significant elements of the rules is the reporting and disclosure of incidents, as it will require a level of transparency and process that the SEC has not previously specifically required in its regulations. The SEC defines an ‘incident’ as “an event which significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations and protect confidential information.” It also stipulates the disclosure of risks that could materially affect an adviser’s services and will require firms to disclose incidents from the last two fiscal years to both clients and the SEC.
7. Fund Management Accountability for Cybersecurity
The SEC’s proposal elevates and formalizes responsibility and accountability for cybersecurity, requiring Boards of Directors to review and approve all related policies and procedures, and be informed of all relevant vendors and incidents at they relate to cybersecurity and access to sensitive data. The proposal also requires boards to understand and address cybersecurity risks in the market.
There is so much to understand about the new proposal, and we invite you to join us for a webinar on February 23, 2022 at 10 a.m. EST on “Navigating the new SEC Cybersecurity Rules: Top 7 Focus Areas from the Full Proposal.”
Our team will unpack the proposal, talk through the key areas and discuss both short and long-term strategies to ensure compliance. Register for the webinar here.
While specifics within the SEC proposal may change between now, the comment period and the effective date, it is certain that financial services are going to be held to higher compliance standards when it comes to cybersecurity. This will drive firms to improve protection, detection, and mitigation capabilities to avoid negative outcomes which would lead to a loss of investor confidence.
Questions or want to learn more about how ECI can help you navigate and prepare for the new rules? Reach out to our team.
This is the list of sections affected: 17 CFR 275.206(4)-9 (“proposed rule 206(4)-9”) and 17 CFR 275.204-6 (“proposed rule 204-6”) under the Advisers Act [15 U.S.C. 80b-1 et seq.]; 17 CFR 270.38a-2 (“proposed rule 38a-2”) under the Investment Company Act [15 U.S.C. 80a-1 et seq.]; and new Form ADV-C [referenced in 17 CFR 279.7] under the Advisers Act; amendments to 17 CFR 275.204-2 (“rule 204-2”) and 17 CFR 275.204-3 (“rule 204-3”) under the Advisers Act; amendments to Form ADV [referenced in 17 CFR 279.1] under the Advisers Act; amendments to Form N-1A [referenced in 17 CFR 274.11A], Form N-2 [referenced in 17 CFR 274.11a-1], Form N-3 [referenced in 17 CFR 274.11b, Form N-4 [referenced in 17 CFR 274.11c], Form N-6 [referenced in 17 CFR 274.11d], Form N-8B-2 [referenced in 17 CFR 274.12], and Form S-6 [referenced in 17 CFR 239.16] under the Investment Company Act and the Securities Act of 1933 (“Securities Act”) [15 U.S.C. 77a et seq.]; amendments to 17 CFR 232.11 (“rule 11 of Regulation S-T”) and 17 CFR 232.405 (“rule 405 of Regulation S-T”) under the Securities Exchange Act of 1934 (“Exchange Act”) [15 U.S.C. 78a et seq.]; amendments to 17 CFR 230.485 (“rule 485”) under the Securities Act; and amendments to 17 CFR 230.497 (“rule 497”) under the Securities Act.