Posts

Cybersecurity for RIAs

RIA Cybersecurity: Prepare for New SEC Cybersecurity Requirements (2023)

Last year the Securities and Exchange Commission (SEC) voted to implement new and amended SEC RIA requirements to the Advisers Act of 1940 for cybersecurity risk management for registered investment advisers (RIAs) and funds.

Is your firm ready?

[ez-toc]

sec ria cybersecurity requirements

The proposed SEC rule changes would oblige RIA firms to develop and implement written policies and procedures to reduce cybersecurity risks that could harm clients and fund investors. The proposed regulations would also force advisers to report cybersecurity incidents like data breaches involving client information to the SEC.

Additionally, the proposed changes call for publicly disclosing cybersecurity risks and significant incidents from the last two fiscal years in their marketing materials and registration statements.

“The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks,” said SEC Chair Gary Gensler.

While comments initially closed in April 2022, comments were reopened on March 15, 2023. Once comments are fully closed, the finalized rules will most likely become effective later in 2023. We will be providing future updates once the final regulations are published.

What do the New SEC RIA Cybersecurity Requirements Entail?

The four significant proposed changes include the following:

  1. The proposal consists of new rule 206(4)-9 under the Advisers Act and new rule 38a-2 under the Investment Company Act. In addition, the proposed cybersecurity risk management rules require public companies to adopt and implement policies and procedures for identifying, assessing, and mitigating cyber risks.
  2. The proposal also includes a reporting requirement under new rule 204-6 mandating companies report significant cybersecurity incidents affecting the adviser, its fund, or private fund clients.
  3. The updated rules include changes to Form ADV Part 2A requiring advisers and funds to publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in their brochures and registration statements.
  4. The proposal also includes new recordkeeping requirements under the Advisers Act and Investment Company Act Rule 204-2 to improve the availability of cybersecurity-related information and help facilitate the Commission’s inspection and enforcement capabilities.

RELATED CONTENT → Security vs. Compliance: Differences & Similarities

What Can You Do to Prepare for RIA Cybersecurity Enforcement?

Here are some expert tips on being ready for enforcement when the changes go into effect later this year.

  •  Develop and Implement Policies and Procedures

RIAs and funds must create comprehensive cybersecurity policies and procedures to mitigate cybersecurity risks per the proposed rules. Keep in mind that these policies and procedures must be both compliant and actionable.

  • Conduct a Risk Assessment

Evaluate cybersecurity risks by identifying, categorizing, and prioritizing cybersecurity risks related to your systems and operations. By conducting an effective risk assessment, you’ll have the necessary information to develop compliant policies and procedures to combat potential cybersecurity risks.

  • Prepare for Disclosure Obligations

When it comes to disclosures associated with cybersecurity risks or incidents, develop procedures for clear, accurate, and timely disclosures to the SEC, clients, investors, and other market participants.

  • Continuity Planning

In the event of a cybersecurity incident, you must be able to maintain system operations. So, test your incident response and business continuity plans through tabletop exercises to ensure compliance with the requirements.

  • Reporting and Documentation

Employing a governance, risk, and compliance (GRC) solution will ensure you have well-documented evidence that your cybersecurity program is compliant.

In addition to ensuring that your firm will align with the changes, these suggestions are also considered best practices for mitigating the risks from data breaches and other cyber attacks. Following these and other practices makes good sense whether your firm is required to or not.

To learn more about GRC, download our free guide →  Understanding Governance, Risk Management, and Compliance for Financial Services.

By employing these practices, you’ll be ready for any forthcoming changes to cybersecurity regulations and well-protected against potential security threats. One solution for preparing now or later is to work with an experienced and knowledgeable IT service provider. An IT partner experienced with RIA firms, and one employing robust cybersecurity and compliance solutions can reduce the time and resources it takes to comply with and implement these and other cybersecurity compliance standards.

by
SEC Compliance Rule

SEC Signals New and Expanding Compliance Rules to Combat Cyber Crime

SEC Compliance RuleIndicates significant changes to regulations for broker-dealers, investment companies, RIA, and other market agents.

The SEC has been signaling the expansion of the compliance around cybersecurity for public financial firms for some time. Increased and intensified state-sanctioned cyber-attacks, data breaches, and ransomware have spotlighted the risk to the U.S. economy, its investment markets, and its investors.

“The economic cost of cyberattacks is estimated to be at least in the billions, and possibly in the trillions, of dollars,” said SEC Chair Gary Gensler in a speech on January 24th. “Hackers have attacked broker-dealers, government agencies, meat processors, and pipelines. These attacks can take many forms from denials-of-service to malware to ransomware.”

Referencing the 2021 Robinhood breach and the SolarWinds incident from 2020, Gensler mentions the joint work of the FBI, CISA, and the Biden administration is ratcheting up to curb the plague—not the COVID-19 pandemic, but the scourge of cybercrime.

He shares that the SEC is looking at ways to strengthen the financial markets’ cyber readiness and hints at a new and expanded compliance framework.

In terms of policy, there are three areas under scrutiny: cyber hygiene and preparedness, cyber incident reporting to the government, and disclosures to the public.

These areas call for IT solutions that prepare for, respond to, and report cyber events. Practices like access management and end-user training, which both reduce the likelihood of cyber incidents, will need to be implemented and reinforced. Additionally, a robust backup system and a disaster recovery plan should be developed or expanded for responding to any events that may happen. Depending on the specific language that ends up in new or expanded regulations, additional IT solutions will most likely be needed for compliance.

As far as which type of organizations may be facing new and strengthened regulations—the list includes SEC registrants in the financial sector, including broker-dealers, investment companies, registered investment advisers, and others. Also in the crosshairs are public companies, third-party service providers, and other organizations not currently registered with SEC, but which support or interact with SEC-registered companies.

Specific regulations that the SEC is proposing to change:

  1. Expanding Regulation Systems Compliance and Integrity (Reg SCI) to cover more entities, including market-makers, broker-dealers, and other financial entities. Reg SCI requires SEC registrants have robust sound technology programs, business continuity plans, testing protocols, data backups, and more.
  2. Implementing new regulations for financial sector registrants, like investment companies, investment advisers, and broker-dealers, not covered by Reg SCI around cybersecurity hygiene practices and incident reporting.
  3. Modernizing Regulation S-P, which deals with data privacy, changing the scheduling and content of notifications to clients about data breaches involving personally identifiable information.

These changes would significantly impact a wide array of companies and subject them to expanded or newly instituted regulations that they may not be prepared to meet.

If your organization requires assistance with keeping up with and implementing these and any other cybersecurity compliance requirements, reach out to our experts. Coretelligent has a suite of solutions, including CoreArmor and CoreBDR, designed to address the compliance and security needs of the financial sector. With over 16+ years of experience helping clients navigate a whole host of IT compliance regulations and bolstering their cybersecurity posture, we can help your firm understand and meet its regulatory requirements.

 

 

 

by