What You Need to Know
- Advisors would be required to conduct — and document in writing — periodic assessments of their cybersecurity risks and information systems.
- At least annually, advisors and funds would need to review the design and effectiveness of their cybersecurity policies and procedures.
- The proposed rules would require advisors and funds to protect more data and ensure that their information systems are adequately protected,
In its most focused and significant response to cyber threats in nearly 20 years, the Securities and Exchange Commission released on Feb. 9 proposed new rules regarding cybersecurity risk management, risk disclosures and reporting. My partner Trina Glass spoke to me about the impact that Rule 206(4)-9 under the Investment Advisers Act of 1940 and Rule 38-2 under the Investment Company Act of 1940 could have on the advisory industry.
The intent of the proposed rules is to address the SEC’s concerns regarding advisors’ and funds’ cybersecurity preparedness, reduce cybersecurity-related risks to clients and investors, improve advisor and fund disclosures about cybersecurity risks and incidents, and enhance the SEC’s ability to assess systemic risks, Glass explained.
Specifically, the proposed Cybersecurity Risk Management Rules would:
- Require advisors and funds to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks.
Advisors would be required to conduct — and document in writing — periodic assessments of their cybersecurity risks and its information systems. This would need to include identification of third-party service providers that receive, maintain and process advisor or fund information or its information systems.
They would also have to include draft information of security policies and procedures reasonably designed to (1) minimize and monitor user-related risks and prevent unauthorized access, (2) include measures to detect, mitigate and remediate cybersecurity threats and vulnerability, and (3) include measures to detect, respond to and recover from a cybersecurity incident.