New SEC Cyber Rules: Will Your Firm Be Ready?

The SEC has proposed new rules around cyber risk management for investment advisers and funds. There’s a lot to unpack in the 224-page SEC document that delineates the new rules. But the takeaway is that investment advisers and funds must take specific actions around seven core aspects of cyber risk management: policies and procedures, access management, data protection, vulnerability management, incident response, reporting, and accountability.

To prepare your organization for compliance and protect it against cyber risk, take these 7 actions now:

1. ESTABLISH WRITTEN CYBERSECURITY PLANS, POLICIES, AND PROCEDURES.

• Document a robust cyber risk plan.

• Formalize your cybersecurity policies and procedures.

• Assess, categorize, and prioritize your unique risks.

• Classify your datasets.

• Identify critical service providers that have access to your data.

• Review policies and procedures at least annually.

• Update based on business changes that could affect cyber risk.

• Make sure documentation is easily retrievable.

2. REVIEW, DOCUMENT AND ENFORCE ACCESS MANAGEMENT BEST PRACTICES.

• Understand that best practices for data access management are now SEC policy.

• Create and enforce an acceptable use policy (AUP).

• Create policies for passwords, least-privilege access, and remote access.

• Implement multifactor authentication (MFA).

• Closely involve IT for access management, device management, endpoint protection,and training.

• Review and update policies regularly.

3. DEPLOY DATA PROTECTION POLICIES AND TECHNOLOGIES.

• Monitor and protect data from unauthorized access.

• Safeguard data based on sensitivity level and importance to operations.

• Protect data when it’s stored and as it’s transmitted.

• Leverage methods such as encryption, network segmentation, access controls, and automated threat detection.

• Document which vendors have access to data.

• Require vendors to meet cybersecurity standards and report cyber incidents.

4. MANAGE THREATS AND VULNERABILITIES.

• Perform regular vulnerability scans.

• Track, prioritize, and remediate known vulnerabilities.

• Update and patch software promptly.

• Don’t overlook device and application configuration.

• Conduct regular penetration tests.

5. IMPLEMENT CYBERSECURITY INCIDENT RESPONSE PLANNING AND RECOVERY.

• Develop and document an incident response plan and recovery procedure.

• Include metrics for speed and effectiveness of response.

• Test the response plan and fine-tune it based on results.

• Identify ways to handle data if vendor systems become unavailable.

6. REPORT AND DISCLOSE CYBERSECURITY INCIDENTS.

• Realize that reporting of cyber incidents is a major new SEC requirement calling for a new level of transparency.

• Report significant cyber incidents to the SEC.

• Publicly disclose cyber risks and incidents from the previous two fiscal years to both clients and the SEC.

7. FORMALIZE CYBERSECURITY RESPONSIBILITY AND ACCOUNTABILITY. 

• Recognize that new SEC rules formalize cybersecurity accountability.

• Boards of directors must review and approve cybersecurity policies and procedures.

• Boards must also understand and address cyber threats in the marketplace.

• Alert boards to cyber incidents.

• Inform boards about vendors that handle sensitive data.

WANT TO LEARN MORE? DOWNLOAD OUR IN-DEPTH WHITE PAPER, “NEW SEC RULES FOR CYBERSECURITY RISK MANAGEMENT: HOW INVESTMENT ADVISERS AND FUNDS SHOULD RESPOND TODAY.”