Posts

Cybersecurity for RIAs

Last year the Securities and Exchange Commission (SEC) voted to implement new and amended SEC RIA requirements to the Advisers Act of 1940 for cybersecurity risk management for registered investment advisers (RIAs) and funds.

Is your firm ready?

[ez-toc]

sec ria cybersecurity requirements

The proposed SEC rule changes would oblige RIA firms to develop and implement written policies and procedures to reduce cybersecurity risks that could harm clients and fund investors. The proposed regulations would also force advisers to report cybersecurity incidents like data breaches involving client information to the SEC.

Additionally, the proposed changes call for publicly disclosing cybersecurity risks and significant incidents from the last two fiscal years in their marketing materials and registration statements.

“The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks,” said SEC Chair Gary Gensler.

While comments initially closed in April 2022, comments were reopened on March 15, 2023. Once comments are fully closed, the finalized rules will most likely become effective later in 2023. We will be providing future updates once the final regulations are published.

What do the New SEC RIA Cybersecurity Requirements Entail?

The four significant proposed changes include the following:

  1. The proposal consists of new rule 206(4)-9 under the Advisers Act and new rule 38a-2 under the Investment Company Act. In addition, the proposed cybersecurity risk management rules require public companies to adopt and implement policies and procedures for identifying, assessing, and mitigating cyber risks.
  2. The proposal also includes a reporting requirement under new rule 204-6 mandating companies report significant cybersecurity incidents affecting the adviser, its fund, or private fund clients.
  3. The updated rules include changes to Form ADV Part 2A requiring advisers and funds to publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in their brochures and registration statements.
  4. The proposal also includes new recordkeeping requirements under the Advisers Act and Investment Company Act Rule 204-2 to improve the availability of cybersecurity-related information and help facilitate the Commission’s inspection and enforcement capabilities.

RELATED CONTENT → Security vs. Compliance: Differences & Similarities


What Can You Do to Prepare for RIA Cybersecurity Enforcement?

Here are some expert tips on being ready for enforcement when the changes go into effect later this year.

  •  Develop and Implement Policies and Procedures

RIAs and funds must create comprehensive cybersecurity policies and procedures to mitigate cybersecurity risks per the proposed rules. Keep in mind that these policies and procedures must be both compliant and actionable.

  • Conduct a Risk Assessment

Evaluate cybersecurity risks by identifying, categorizing, and prioritizing cybersecurity risks related to your systems and operations. By conducting an effective risk assessment, you’ll have the necessary information to develop compliant policies and procedures to combat potential cybersecurity risks.

  • Prepare for Disclosure Obligations

When it comes to disclosures associated with cybersecurity risks or incidents, develop procedures for clear, accurate, and timely disclosures to the SEC, clients, investors, and other market participants.

  • Continuity Planning

In the event of a cybersecurity incident, you must be able to maintain system operations. So, test your incident response and business continuity plans through tabletop exercises to ensure compliance with the requirements.

  • Reporting and Documentation

Employing a governance, risk, and compliance (GRC) solution will ensure you have well-documented evidence that your cybersecurity program is compliant.

In addition to ensuring that your firm will align with the changes, these suggestions are also considered best practices for mitigating the risks from data breaches and other cyber attacks. Following these and other practices makes good sense whether your firm is required to or not.


To learn more about GRC, download our free guide →  Understanding Governance, Risk Management, and Compliance for Financial Services.


By employing these practices, you’ll be ready for any forthcoming changes to cybersecurity regulations and well-protected against potential security threats. One solution for preparing now or later is to work with an experienced and knowledgeable IT service provider. An IT partner experienced with RIA firms, and one employing robust cybersecurity and compliance solutions can reduce the time and resources it takes to comply with and implement these and other cybersecurity compliance standards.

FINRA Rule 4370

FINRA Rule 4370

The Financial Industry Regulatory Authority (FINRA) recently announced the completion of the review process for FINRA Rule 4370 and upholds the Rule as it currently stands. The agency put the Business Continuity Plan (BCP) Rule 4370 into place to ensure continuity of operations for broker-dealer firms following a disruption or disaster. FINRA based its decision to keep 4370 intact on the recently completed BCP Rule and Pandemic Review, both of which highlight the benefits of the Rule.

The FINRA BCP Rule requires broker-dealers to maintain continuity plans designed to ensure their ability to resume business operations after an interruption or in the event of a disaster. Regulatory Notice 21-44 provides clarification of FINRA’s compliance obligations for broker-dealers waiting to see where the agency would land regarding updating or maintaining the Rule.

Background on Rule 4370

In early 2019, announced a review of the Rule to determine its effectiveness and viability. In addition, the agency considered the costs, risks, and benefits associated with developing, maintaining, and implementing BCPs against not utilizing them.

According to FINRA’s announcement, stakeholders reported that Rule 4370 was working as intended. FINRA observed that the Rule’s “flexible, non-prescriptive, and risk-based approach has been effective in ensuring firms of all sizes are prepared for potential business disruptions.”

Additionally, during the early stages of the pandemic, FINRA also published Regulatory Notice 20-08, which recommended that member firms review their plans for pandemic preparedness.

What Does This Mean For Your Firm?

FINRA has made it clear that firms should continue developing and maintaining plans according to Rule 4370. However, the agency will not be providing specific guidance; firms are on their own when it comes to fulfilling the requirements for compliance.

What Are the Next Steps?

New and established brokerage firms will need to evaluate their status regarding Rule 4370 to guarantee compliance and that they are operating with an effective BCP. However, a BCP alone is not enough to ensure continuity.

For firms looking to assess their disaster readiness and compliance, there are six critical components of a BCP that will be there when you need it.

    1. Establish or Evaluate Existing BCP
    2. Test BCP
    3. Validate Vendor Readiness to Support BCP
    4. Ensure Remote Access for Essential Personnel
    5. Educate Personnel and Conduct Training
    6. Routinely Repeat this Process

By following these steps, your firm will be prepared for potential business disruptions and remain compliant. Of course, there is more involved in each of these steps. For more granularity, read our post, Business Continuity Checklist for Financial Services Firms, which outlines just how to assure operational continuity and data protection.

Coretelligent is here to help your firm navigate the details in developing and maintaining a business continuity plan. We can also assist with incorporating it into your IT strategy, cybersecurity solutions, and compliance reporting. As an MSP with considerable experience within the financial services industry, Coretelligent understands the regulatory imperatives required of you and your business. That is one of the main benefits of working with an IT partner with deep industry knowledge and expertise.

Reach out and we will work with your IT and compliance teams to review your BCP and develop a roadmap to make sure your firm is secure.