SEC proposes cybersecurity rules, incident disclosure for investment funds and advisors

The SEC has proposed new rules that would require investment funds and advisors to implement written cybersecurity programs that address mounting cybersecurity risks. The rules, if passed, would also require funds and advisors to publicly report “significant” security incidents and provide documentation of cybersecurity risks.  

The proposal lays out recommendations for five key areas: Risk assessment, user security and access, threat and vulnerability management, information protection, and cybersecurity incident response and recovery. In addition, the Commission aims to build board oversight by stipulating that a board of directors approve initial cybersecurity policies and procedures. Boards must also review and green-light annual written reports on cybersecurity incidents and updates.

In announcing the proposed rules, the SEC cited the escalating frequency of cybersecurity incidents arising from today’s constantly morphing threat landscape. “The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisors and funds against cybersecurity threats and attacks,” SEC Chair Gary Gensler said in a statement.

The SEC notes that some funds and advisors may lack sufficient understanding of specific cyber-risks and threats and therefore may pose a hazard to their clients and investors.

The proposed rules and amendments to the Investment Advisers Act and Investment Company Act stipulate that “confidential” reporting of cybersecurity incidents must be made within 48 hours of discovery. Funds and advisors must also make appropriate disclosures to clients and investors, including on their marketing materials.

Currently, no SEC rules explicitly require funds and advisors to have a comprehensive cybersecurity program. It’s worth noting that the Commission already requires registered broker-dealers to adhere to these cybersecurity rules. 

Preparing for cybersecurity

Cybersecurity poses a legitimate risk to all businesses, and fund administrators are no exception. Ahead of the SEC rules being ratified, companies should take this opportunity to identify current cybersecurity threats within their ecosystem and begin a path to mitigation. Only once a baseline understanding of cyber risk is identified can organizations properly begin to meet SEC requirements, among others.

The first step will be to carefully review the proposed rules to understand the security controls, practices, and policies that must be developed and deployed. Firms will need to design effective controls and incorporate them into organizational policies and culture. Make sure to allocate adequate time for this process. 

It’s also essential that funds and advisors clearly understand that cybersecurity is a core business responsibility – not an IT issue. Boards should take the lead in making sure a security mindset permeates the organization.  This may take some effort in educating board directors who may have limited exposure to and understanding of cyber threats.

Taking the long view

Given the current cybersecurity landscape, the SEC is on the right track with its proposed rules for funds and advisors. In fact, the rules make a lot of business sense for all players: advisors and funds, public and private investors, and business partners.

It’s also prudent that the SEC is taking the long view on cybersecurity. The Commission is raising awareness of the need for cybersecurity programs for funds and advisors of all sizes. And disclosures of cybersecurity capabilities and incidents would enhance transparency, which is essential to customer trust and ultimately business success.

Cybersecurity mandates would force funds and advisors to understand and adopt up-to-date, risk-based practices. Firms that are growing toward the $150 million minimum required for SEC registration should pay particular attention. They may need to adopt these requirements if they register with the Commission in the future. And as they do, it’s all but inevitable that adoption of stronger cybersecurity will trickle down to smaller funds.

Finally, board oversight would help drive home the point that cybersecurity is a fundamental business requirement. Funds and advisors may need to hire a cybersecurity expert to educate and advise their board. Another option is a board-level cybersecurity committee to keep the board up to speed. It’s a nascent but increasingly popular option: Today, less than 10% of boards have a dedicated cybersecurity committee, but Gartner estimates that by 2025 the number will climb to 40%.

The SEC proposal has been published on the SEC website and will remain open for public comment until approximately mid-April. While it’s not likely that the proposed rules will be finalized any time soon, we recommend that all potentially affected businesses review their policies and capabilities now and start preparing to make any necessary additions or adjustments. It’s also a good time to make sure all employees, including leadership, are aware of cyber priorities and how to help mitigate threats.

Contact our team to learn more about how these proposed regulations could affect your fund.