The SEC proposed new cybersecurity risk management rules, including changes that would require both advisors and funds to create policies and procedures “reasonably designed to address cybersecurity risks,” according to the commission.
“Registered investment advisors, investment companies, and business development companies currently have to comply with various rules that may implicate their cybersecurity practices, such as books-and-records, compliance, and business continuity regulations” SEC Chair Gary Gensler said about the proposed rules. “Today’s release builds upon those requirements.”
Gensler was supportive of the new set of proposed rules, along with Commissioners Allison Herren Lee and Caroline Crenshaw, while Commissioner Hester Peirce was not in favor.
According to Gensler, the new rules would require additional record-keeping obligations for both advisors and private funds, and would demand advisors confidentially report certain "significant" cyber incidents to the SEC. They would also demand that advisors and funds disclose certain types of cybersecurity incidents to clients and investors.
While advisors currently have to provide disclosures on practices, fees, risks and conflicts as a part of their Form ADV, the new rules would amend the form’s Part 2A to require advisors disclose cybersecurity risks and incidents. Gensler hoped the reforms would lower the risk cybersecurity poses to all registrants.
“I believe they could give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the Commission with more insight into intermediaries’ cyber risks,” he said.
In the proposed rule, the SEC defines a "significant" cyber incident as one that “disrupts or degrades the advisor’s ability…to maintain critical operations” that could lead to substantial harm to the advisor or clients. If an advisor can’t use their internal computer systems because of a malware shutdown, for example, that may impair their ability to provide client services, perhaps for days or weeks. Significant harm to a client is one which leads to “significant monetary loss or the theft of personally identifiable or proprietary information,” according to the SEC.
The commission's proposal requires firms to report these breaches to the SEC within 48 hours to help monitor the effects on the advisor and clients. A number of similar complaints in a short time frame could also indicate a broader problem.
Last fall, the commission’s Enforcement Division charged eight firms with cybersecurity shortfalls in failing to protect clients’ private information after bad actors were able to take over the companies’ email accounts. After the violations were announced, a number of cyber experts questioned the commission’s specificity, arguing that the commission needed to be clearer about what it was requiring of firms in the first place.
In a statement supporting the proposed rules, Lee argued that by some measures there’d been a nearly 70% rise in “data compromises” since 2020, while Crenshaw noted that the G20 had recently made cyberattacks a priority, saying they “could disrupt financial services crucial to both national and international financial systems.” Lee approved of the 48-hour notification timeline for advisors to inform the commission about a cyber incident but said there was no specific time attached to when clients must be told.
“Instead such notification would need to be made ‘promptly.’ Should investor notification be tied to a more discrete time frame to ensure timeliness?” she asked. “And, what specific information do investors need to know about such incidents?”
In her critique of the proposed rules, Peirce acknowledged that cybersecurity was a “uniquely challenging” threat, and found that the release was balancing the need to notify both the commission and clients about cybersecurity incidents with concerns about mandates leading to “over-disclosure.” But Peirce cautioned that a successful cyberattack on an advisor, firm or fund doesn’t necessarily mean that firm erred in its cybersecurity preparations.
“We should stand ready to assist advisors and funds in the fight against cyberattackers,” Peirce said. “Absent circumstances that suggest deliberate or reckless disregard of known vulnerabilities by the firm, we should resist the temptation to pile on with an enforcement action after a breach.”
The proposed rules will be published both on the SEC site and in the Federal Register, and the public comment period will be open for the longer period of 60 days following its publication on the site or 30 days after its publication in the Register.