Don't Forget to Share this Post

New SEC Cybersecurity Rules: Will Your Investment Firm Be Ready?

By ECI | Friday, August 12th, 2022

The SEC has proposed new rules around cyber risk management for investment advisers and funds. There’s a lot to unpack in the 224-page SEC document that delineates the new rules. But the takeaway is that investment advisers and funds must take specific actions around seven core aspects of cyber risk management: policies and procedures, access management, data protection, vulnerability management, incident response, reporting, and accountability.

To prepare your organization for compliance and protect it against cyber risk, take these 7 actions now:

1. Establish written cybersecurity plans, policies, and procedures.

  • Document a robust cyber risk plan.

  • Formalize your cybersecurity policies and procedures.

  • Assess, categorize, and prioritize your unique risks.

  • Classify your datasets.

  • Identify critical service providers that have access to your data.

  • Review policies and procedures at least annually.

  • Update based on business changes that could affect cyber risk.

  • Make sure documentation is easily retrievable.


2. Review, document and enforce access management best practices.

  • Understand that best practices for data access management are now SEC policy.

  • Create and enforce an acceptable use policy (AUP).

  • Create policies for passwords, least-privilege access, and remote access.

  • Implement multifactor authentication (MFA).

  • Closely involve IT for access management, device management, endpoint protection,and training.

  • Review and update policies regularly.


3. Deploy data protection policies and technologies.

  • Monitor and protect data from unauthorized access.

  • Safeguard data based on sensitivity level and importance to operations.

  • Protect data when it’s stored and as it’s transmitted.

  • Leverage methods such as encryption, network segmentation, access controls, and automated threat detection.

  • Document which vendors have access to data.

  • Require vendors to meet cybersecurity standards and report cyber incidents.

4. Manage threats and vulnerabilities.

  • Perform regular vulnerability scans.

  • Track, prioritize, and remediate known vulnerabilities.

  • Update and patch software promptly.

  • Don’t overlook device and application configuration.

  • Conduct regular penetration tests.

5. Implement cybersecurity incident response planning and recovery.

  • Develop and document an incident response plan and recovery procedure.

  • Include metrics for speed and effectiveness of response.

  • Test the response plan and fine-tune it based on results.

  • Identify ways to handle data if vendor systems become unavailable.

6. Report and disclose cybersecurity incidents.

  • Realize that reporting of cyber incidents is a major new SEC requirement calling for a new level of transparency.

  • Report significant cyber incidents to the SEC.

  • Publicly disclose cyber risks and incidents from the previous two fiscal years to both clients and the SEC.

7. Formalize cybersecurity responsibility and accountability.

  • Recognize that new SEC rules formalize cybersecurity accountability.

  • Boards of directors must review and approve cybersecurity policies and procedures.

  • Boards must also understand and address cyber threats in the marketplace.

  • Alert boards to cyber incidents.

  • Inform boards about vendors that handle sensitive data.

Want to learn more? Download our in-depth white paper, “New SEC Rules for Cybersecurity Risk Management: How Investment Advisers and Funds Should Respond Today.”

Don't Forget to Share this Post

Related Posts

How Can Eze Castle Integration help you?Contact us today!