Cybersecurity has become a major concern within the financial services sector. Recognizing the need for increased transparency and improved data security, the U.S. Securities and Exchange Commission (SEC) has issued a new rule1 outlining cybersecurity requirements for all registered investment companies and registered investment advisers (“RIAs” or “advisers”). Implementation of this new SEC rule is intended to help advisers safeguard their (and their investors’) sensitive data, track and ward off cyber threats, and protect the US financial system. By adopting these requirements, companies will move toward a more robust cybersecurity strategy, build trust with investors, and mitigate potential financial, operational, and reputational risks.

Expanding Risk for Financial Service Firms

An ever-increasing share of financial and trading transactions are dependent on third-party electronic platforms and disruptions to those systems can significantly impact operations. Of greater concern is the potential for large-scale attacks that could impact the US economy. According to SentinelOne, Ransomware attacks on financial services have increased from 55% in 2022 to 64% in 2023, which is nearly double the 34% reported in 2021. And, according to IBM and the Ponemon Institute, the average cost of a data breach in the financial sector in 2021 was $5.72 million. This increase in cybersecurity incidents has been fueled by several factors:

  • An increase in remote work
  • Reliance on third-party service providers for technology services
  • Monetization of cyberattacks facilitated by ransomware and stolen data sold on black markets
  • Fast-changing criminal tactics aimed at employees and systems

The significant costs and negative impacts of a cybersecurity incident on financial service companies have substantially increased. The costs associated with cyber incidents include

  • business interruption
  • lost revenue
  • ransom payments
  • remediation costs
  • liabilities to affected parties
  • cybersecurity protection costs
  • replacing damaged or destroyed equipment
  • litigation risks
  • reputational damage
  • potential SEC fines.

OVERVIEW OF THE SEC CYBERSECURITY RULES

The new SEC cybersecurity rules were introduced to address the growing threat of cyber-attacks and to enhance investor protections. In the past, the SEC provided guidance regarding cyber protections but has now moved to regulation to speed the adoption of modern cybersecurity protections. The new rule requires registrants to adopt cybersecurity policies and procedures reasonably designed to address cybersecurity risks, develop cybersecurity monitoring and protections, disclose information about cybersecurity risks and incidents, report information confidentially to the SEC about certain cybersecurity incidents, and maintain related records.

The new rule also includes updates to RIA disclosure requirements to provide current and prospective advisory clients and investors with information regarding cybersecurity risks and previous cybersecurity incidents. In addition, the rule requires advisers to report material cybersecurity incidents affecting the adviser’s operations, its fund, or exposure of client information to the SEC on a confidential basis. Additionally, the new rules require advisers to safeguard customer records and information and properly dispose of consumer report information.

NEW REQUIREMENTS FOR REGISTERED INVESTMENT ADVISERS

INCIDENT REPORTING

RIAs must disclose to the SEC and investors material cybersecurity incidents that occurred within 48 hours after a significant incident and any incident that has occurred in the past year. This includes incidents with potential financial, operational, or reputational impacts. Advisers should establish robust incident response plans and ensure accurate and timely incident reporting to the SEC and other regulatory bodies.

MATERIALITY ASSESSMENT

Advisers are expected to assess the materiality of cybersecurity risks and incidents based on quantitative and qualitative factors. This assessment should consider potential harm to operations, reputation, and financial condition. Advisers should evaluate the materiality of cybersecurity risks specific to their industry and tailor their risk management strategies accordingly.

REGULATORY COMPLIANCE

Registered Investment Advisors must ensure compliance with the new SEC rules to avoid regulatory scrutiny and potential penalties. They are required to document and put into place robust cybersecurity risk management policies and procedures, equipment, and monitoring to defend against cyber threats, enhance board and management oversight, educate employees, and develop effective incident response plans.

COLLABORATION WITH CYBERSECURITY PROVIDERS

Advisers often rely on external service providers for cybersecurity expertise and support. The new SEC rules emphasize the need for collaboration with these providers to ensure effective risk management, incident response, and compliance. Advisers should establish strong partnerships with service providers with a depth of experience with modern cybersecurity threats and incident response.

AUDITING THIRD-PARTY PROVIDERS

Some of the typical third-party providers include prime brokers, asset custodians, third-party administrators, valuation or pricing vendors, and outsourced IT providers. Advisers are required to thoroughly evaluate a service provider’s cybersecurity measures and protocols when deciding who to work with. This involves reviewing their cybersecurity policies, procedures, and practices to ensure they align with industry best practices. Key areas to assess include data encryption, access controls, breach notification process, employee training, and handling and access of client data.

BEST PRACTICES FOR EFFECTIVE CYBER RISK MANAGEMENT

CONDUCT REGULAR CYBERSECURITY RISK ASSESSMENTS

Advisers are required to conduct annual cybersecurity risk assessments (penetration and vulnerability testing) to identify vulnerabilities and potential threats. These assessments must be comprehensive, covering all aspects of the business network, access controls, and third-party and cloud service providers. While the rule specifies one scan per year, the rate of change in cyber threats would suggest more frequent vulnerability scans. Once vulnerabilities are uncovered, plans and investments can then be put into place to prioritize and close security gaps.

ESTABLISH A CYBERSECURITY GOVERNANCE FRAMEWORK

Investment Advisers should develop and implement a robust cybersecurity governance framework with policies and procedures that align with industry best practices. This framework should include clear roles and responsibilities, incident response and business continuity plans, regular board oversight and reporting, and annual reviews and updates of these policies.

CONDUCT REGULAR EMPLOYEE TRAINING

Employees tend to be the weakest link in a cybersecurity program. It’s estimated that over 90% of all successful cyberattacks start with a phishing attack. According to APWG’s Phishing Activity Trends Report, 2022 was the highest year on record with 4.7 million phishing attacks, 27.7 percent of which targeted the financial sector specifically. Providing annual or ongoing cybersecurity awareness training for all employees ensures they know best practices and how to identify potential threats. This should include training on password management, phishing awareness, and safe browsing habits.

DEVELOP A CONTINUOUS MONITORING AND DETECTION APPROACH

The new regulation requires continuous monitoring of threats with response mechanisms in place. This includes a centralized database of threat logs, responses, vulnerability testing, and remediation approaches to guide future threat responses. While installing security devices such as firewalls and endpoint detection to protect remote devices are key components of a cybersecurity plan, collecting, analyzing, and responding to threat alerts 24/7 enhances an organization’s ability to ward off attacks and to catch irregular behaviors faster.

CONDUCT REGULAR EXERCISES OF YOUR INCIDENT RESPONSE PLAN

Evaluate your incident response plan to ensure it is comprehensive, up-to-date, and regularly tested. Tabletop exercises are a good practice so teams understand their responsibilities and can identify potential weaknesses to update in a safe environment. This also includes crisis communication plans and templates, contacts with incident response teams, contacts with federal and state law enforcement, and business continuity plans.

REVIEW CYBERSECURITY INSURANCE

For investment advisers, acquiring a comprehensive cybersecurity insurance policy is crucial to mitigate the risks and potential financial damages from cyber-attacks. Typically, cybersecurity insurance policies cover a range of expenses and liabilities, including data breach response, legal defense costs, regulatory fines and penalties, and potential liability for failing to adequately protect sensitive client data. Some policies may also offer additional coverage for business interruption losses, reputational damage, and cyber extortion incidents.

Advisers should carefully examine the policy’s terms and conditions to determine if breaches occurring at a third-party provider are covered. This may involve analyzing the policy’s definitions, exclusions, and limitations related to breaches at third-party providers. Consulting with the insurance provider or a legal expert may be beneficial to fully understand the coverage.

Implementing the new cybersecurity rules announced by the SEC is the new normal for financial service companies operating in today’s digital landscape. These rules not only enhance transparency and accountability but also provide a framework for advisers to safeguard their sensitive data and protect against cyber threats.

By embracing these rules, advisers can establish robust cybersecurity risk management programs, enhance management oversight and governance, and improve incident response and reporting capabilities. Compliance with regulatory standards is crucial to avoid scrutiny and penalties and to maintain the trust of investors and stakeholders.

Effective implementation of this rule helps companies mitigate potential financial, operational, and reputational risks associated with cybersecurity incidents. This sends a strong message to clients, investors, and partners about the company’s dedication to protecting sensitive data and maintaining the integrity of its operations.

Contact Secure Cyber Defense to learn how you can evaluate your vulnerabilities and work to achieve and remain compliant.

  1. This blog references the Final Rule: Cybersecurity Risk Management, Strategy, Governance and Incident Exposure as part of the Exchange Act.