The Securities and Exchange Commission (SEC) has introduced updated cybersecurity risk management rules, initially proposed in February 2022. These regulations, which apply to investment advisers, registered investment companies, and business development companies, require entities categorized as “advisers” and “funds” to comply with enhanced cybersecurity measures.
Goals of the New Rules
The primary objectives of the new proposal are to:
- Strengthen cybersecurity preparedness.
- Improve transparency regarding cybersecurity risks and incidents.
- Enhance SEC oversight capabilities.
The rules consist of four main components:
1. Cybersecurity Risk Management Policies
Under proposed Rule 206(4)-9 of the Advisers Act and Rule 38a-2 of the Investment Company Act, advisers and funds must establish and implement comprehensive cybersecurity policies. These policies are designed to identify and address a range of cybersecurity risks, mitigate operational vulnerabilities, and prevent unauthorized access to sensitive information.
2. Incident Reporting Requirements
Rule 204-6 mandates that advisers report significant cybersecurity incidents to the SEC. These incidents, affecting funds or private fund clients, must be disclosed via Form ADV-C. By collecting this confidential information, the SEC can better assess the impact of incidents on advisers and clients, as well as evaluate potential systemic risks within financial markets.
3. Disclosure Obligations
Amendments to Form ADV Part 2A require advisers to inform clients and prospective clients about cybersecurity risks and significant incidents. Similarly, funds must disclose such incidents in their registration statements using standardized data formats. This increases transparency for investors and stakeholders.
4. Recordkeeping Requirements
New recordkeeping amendments under the Advisers Act and Investment Company Act obligate advisers to maintain records related to cybersecurity policies and incidents. Funds must also retain copies of their cybersecurity policies and any associated documentation. These measures ensure proper documentation and accountability.
Rationale Behind the Rules
The SEC’s push for these stricter cybersecurity standards stems from the growing reliance on technology in the financial sector. Unlike public companies governed by existing regulations such as the Sarbanes-Oxley Act, many non-public funds and advisers have not been subject to robust cybersecurity mandates. This gap leaves firms and their clients vulnerable to cyberattacks and data breaches.
Current Cybersecurity Landscape
Increased Threats: Surveys indicate a rise in cyberattacks across the financial industry. For example, a 2023 study by Agio revealed that 77% of hedge funds experienced cyberattacks in insourced environments, up from 39% in 2022. Additionally, the severity of these attacks grew to 87% in 2023 compared to 58% in 2022.
Rising Costs: The FBI’s Internet Crime Complaint Center reported 3.8 million cyber-related complaints over the past five years, with total losses reaching $37.4 billion. In 2023 alone, reported losses exceeded $12.5 billion, including incidents involving phishing, ransomware, and business email compromises.
Generative AI Risks: Emerging technologies, such as generative AI, are being exploited by cybercriminals to create malicious code and phishing strategies. While platforms like ChatGPT are introducing safeguards, alternative tools like WormGPT continue to enable unethical use.
Protecting Investors
One of the SEC’s key objectives is to protect investors in smaller, non-public firms. These firms often lack comprehensive cybersecurity frameworks, which increases the risk of data breaches and operational disruptions. The new regulations aim to enforce stronger cybersecurity policies, driving increased spending in this area to safeguard sensitive data and ensure investor confidence.
Ensuring Compliance
To align with these new regulations, funds and advisers can take several proactive steps:
- Develop cybersecurity roadmaps tailored to their specific risk profiles.
- Conduct regular policy reviews and updates.
- Implement staff training programs focused on cybersecurity awareness.
- Engage external technology risk experts to evaluate and strengthen defenses.
Partnering with specialists in cybersecurity compliance can help funds and public companies create and maintain robust systems that adhere to these new SEC requirements. These efforts will not only ensure regulatory compliance but also reduce the likelihood and impact of costly cyber incidents.
Are you ready for these SEC requirements?