How RIAs Can Prepare for the SEC’s Proposed Cybersecurity Rule

By 2023, an estimated 33 billion accounts will be affected by a cyberattack. Even worse, the vast majority (74%) of botnet attacks (a form of cyberattack targeting internet-connected devices to compromise systems) target the financial sector.

The growing concern about underreported cybersecurity incidents has prompted a proposed new rule from the Securities and Exchange Commission (SEC) aimed at improving resilience against cyberattacks. If the new rule is accepted, RIA firms would be obligated to disclose the following information about cybersecurity incidents:

• When the incident was discovered
• If it’s an ongoing problem
• The nature and scope of the incident
• If any data was stolen, altered, accessed, or used for unauthorized purposes
• How the incident affected or continues to affect firm operations
• If the incident has been or is currently being remediated

Within this set of provisions, the SEC has proposed new requirements for the manner and timeliness in which firms must report cybersecurity incidents. We highly recommend that firms provide cybersecurity training to all their employees on a regular basis. Below is a six-step response plan for any employee to follow if they suspect cyber attackers have targeted them:

1. Do not have employees turn their computers off, but rather disconnect them from the network. This can be completed with the following steps on a Windows computer:
   • Click on the Start menu
   • Click on “Settings”
   • In the settings menu select “Network Connections”
   • Right-click and select the “Disable“ option
2. Windows users should start a full system antivirus/antimalware scan on the computer. Most antivirus programs will create an easy access icon in the Windows Desktop Tray (small icons by the clock on the taskbar) that can be used to quickly launch a scan. Your employees should be comfortable launching these types of scans, and if they are not, regular IT trainings should take place. Mac users should consult with their IT on this step, as it will depend on their specific operating system.
3. Contact IT support immediately. It is very important that the employee share detailed information about their suspicions as soon as possible. IT should secure the exact time of the event (as close as possible), what was experienced, and any information/data that might have been entered into screens or used during the incident. This will ensure that the IT support team can help prevent any further compromise.
4. Once the incident is in the hands of IT, have the employee take a moment to review their notes and verify that everything has been clearly and correctly notated. Employees can email the notes to themselves to keep a record of the incident. Ensure the following information is captured:
   • The date and time of the incident
   • What software they were using when the incident occurred
   • If any files or email attachments were downloaded
   • What information, if any, was entered into a web browser
   • If a login occurred, what username and password were used? More importantly, is that same password used with any other accounts or logins
5. If the employee logged in, ensure that they update all passwords that are the same or similar to the password that was shared with the attackers. The same/similar passwords should never be reused, and now would be the time to change all those passwords and make sure that they are each different.
6. Finally, ensure that the incident is communicated with management as soon as possible. Proposed SEC regulations may create more stringent requirements for disclosure and recordkeeping regarding such attacks. The notes taken in steps three and four will be required for your organization to meet these requirements.

According to Renju Varghese, fellow and chief architect, cybersecurity and GRC, at HCL Technologies Ltd, one of the main contributors to underreported cyberattacks is siloed, disparate security solutions that don’t work together. RIAs should be leveraging technology to simplify the process for recording and reporting any attacks. A comprehensive solution will not only identify and protect your firm against cyberattacks but also provide automated processes to streamline the required record keeping and reporting.

Considering the nuances and specifications of both the SEC’s cybersecurity rules and state regulations, RIA firms interested in deploying an automated solution to help address cybersecurity protection, recordkeeping and reporting should look for a provider that specializes in RIA compliance. It’s also beneficial for the technology solution to maintain all information related to cybersecurity in a single place, making it easy and efficient for RIAs to access what they need.

The complexity of the cybersecurity landscape, coupled with teams that lack the tools and cybercrime knowledge to identify and address threats, leaves too many vulnerable to increasingly sophisticated attackers.

Julian Makas is chief information security officer at ComplySci. With more than two decades of in-depth information systems exposure, he has extensive experience in analysis, design, development, and implementation of client-server and cloud-based information systems, with a focus on information security on such topics as applications and network security, vulnerability assessment, testing and auditing, and risk assessment through network penetration testing.

(Image: jijomathaidesigners/Shutterstock)