New SEC Cyber Rules: Will Your Firm Be Ready?

ECI
ECI

SEC Rules

The SEC has proposed new rules around cyber risk management for investment advisers and funds. There’s a lot to unpack in the 224-page SEC document that delineates the new rules. But the takeaway is that investment advisers and funds must take specific actions around seven core aspects of cyber risk management: policies and procedures, access management, data protection, vulnerability management, incident response, reporting, and accountability.

To prepare your organization for compliance and protect it against cyber risk, take these 7 actions now:

 

1. ESTABLISH WRITTEN CYBERSECURITY PLANS, POLICIES, AND PROCEDURES.

  • Document a robust cyber risk plan.

  • Formalize your cybersecurity policies and procedures.

  • Assess, categorize, and prioritize your unique risks.

  • Classify your datasets.

  • Identify critical service providers that have access to your data.

  • Review policies and procedures at least annually.

  • Update based on business changes that could affect cyber risk.

  • Make sure documentation is easily retrievable.

 

2. REVIEW, DOCUMENT AND ENFORCE ACCESS MANAGEMENT BEST PRACTICES.

  • Understand that best practices for data access management are now SEC policy.

  • Create and enforce an acceptable use policy (AUP).

  • Create policies for passwords, least-privilege access, and remote access.

  • Implement multifactor authentication (MFA).

  • Closely involve IT for access management, device management, endpoint protection,and training.

  • Review and update policies regularly.

 

3. DEPLOY DATA PROTECTION POLICIES AND TECHNOLOGIES.

  • Monitor and protect data from unauthorized access.

  • Safeguard data based on sensitivity level and importance to operations.

  • Protect data when it’s stored and as it’s transmitted.

  • Leverage methods such as encryption, network segmentation, access controls, and automated threat detection.

  • Document which vendors have access to data.

  • Require vendors to meet cybersecurity standards and report cyber incidents.


 

4. MANAGE THREATS AND VULNERABILITIES.

  • Perform regular vulnerability scans.

  • Track, prioritize, and remediate known vulnerabilities.

  • Update and patch software promptly.

  • Don’t overlook device and application configuration.

  • Conduct regular penetration tests.

 

5. IMPLEMENT CYBERSECURITY INCIDENT RESPONSE PLANNING AND RECOVERY.

  • Develop and document an incident response plan and recovery procedure.

  • Include metrics for speed and effectiveness of response.

  • Test the response plan and fine-tune it based on results.

  • Identify ways to handle data if vendor systems become unavailable.


 

6. REPORT AND DISCLOSE CYBERSECURITY INCIDENTS.

  • Realize that reporting of cyber incidents is a major new SEC requirement calling for a new level of transparency.

  • Report significant cyber incidents to the SEC.

  • Publicly disclose cyber risks and incidents from the previous two fiscal years to both clients and the SEC.


 

7. FORMALIZE CYBERSECURITY RESPONSIBILITY AND ACCOUNTABILITY. 

  • Recognize that new SEC rules formalize cybersecurity accountability.

  • Boards of directors must review and approve cybersecurity policies and procedures.

  • Boards must also understand and address cyber threats in the marketplace.

  • Alert boards to cyber incidents.

  • Inform boards about vendors that handle sensitive data.

 

WANT TO LEARN MORE? DOWNLOAD OUR IN-DEPTH WHITE PAPER, “NEW SEC RULES FOR CYBERSECURITY RISK MANAGEMENT: HOW INVESTMENT ADVISERS AND FUNDS SHOULD RESPOND TODAY.”

Microsoft 365 Copilot

Speak With One Of Our Experts Today

Learn How ECI Can Unlock Real Value For Your Firm.
CONTACT US