SEC Takes on Cybersecurity
Articles by: Richey May, Feb 15, 2023
What Rule 17 could mean for fund managers and investment advisors
Every day, fund managers and investment advisors plug into a vast array of interconnected systems and networks from a wide range of providers. You use digital tools to engage with clients. You rely on technology to deliver investment advice. And with every interaction and transaction, your risk of a crippling cybersecurity attack compromising your clients’ data increases.
To mitigate these risks, the Securities and Exchange Commission (SEC) has proposed new policy, reporting and recordkeeping requirements for SEC-registered fund managers and investment advisors and firms. The new regulations, known as Rule 17, will require industry-wide adoption and implementation of cybersecurity policies, procedures and controls that are “reasonably” designed to handle cybersecurity risks and threats.
What’s reasonable and what’s in the SEC proposal exactly?
Seeking to address the efficacy of common industry practices around cybersecurity and the transparency of disclosures to clients and shareholders, the SEC proposal recommends:
- Enhanced reporting on cybersecurity incidents (single or total annual incidents)
- Periodic regulatory reviews of cybersecurity:
- Policies and procedures and management’s role in implementing them
- Expertise and oversight of risk management by the board of directors
- Disclosures for the alternative investments industry
Seems “reasonable” enough. Rule 17 also requires these details on significant incidents:
- Affected entities
- Timing and status of the incident
- Data stolen, altered, accessed or used for an unauthorized purpose
- Effects of the incident on the fund’s operations
- Steps taken to remediate the incident
9 questions to ask and answer now
When the new SEC regulations will go into effect is hard to say, but we are anticipating an announcement in April. Regardless, this much we do know: You can – and should – take steps to prepare. After all, why risk a breach and its potential financial impact, not to mention regulatory scrutiny, permanent data loss or even business closure? By preparing now, you safeguard your interests and those of your clients.
Start by taking a hard look at these nine questions:
- Is your cybersecurity program included in the enterprise strategy and governance, risk and compliance programs?
- Do you have dedicated, experienced and accountable cybersecurity staff or consultants?
- Are the board of directors and executive management educated in cybersecurity risk and threat management?
- Do you know your material threshold for cybersecurity risks and incidents, including overall, performance and specific materiality?
- Does your business continuity or disaster recovery plan include data breach scenarios?
- Are you periodically reviewing alerts to understand the context or severity of threats?
- How will you track and respond to “minor” incidents and what if they turn into bigger problems?
- How will you report more than one incident that exceeds materiality thresholds?
- How can your business demonstrate and respond to connections between events?
How to get ready for Rule 17
Once you’ve answered those questions, you can start taking action. First, you’ll need to prove you have data safeguards and procedures to ensure they’re operational. In other words, you have cybersecurity systems that can detect data breaches and a communication plan for notifying leadership and investors.
In your reporting and annual audits, you’ll have to attest to and share evidence that these internal controls exist. Rule 17 would require keeping records of policies and procedures, reports and annual reviews for at least five years (the first two years in an easily accessible place). Specifically, you’ll need to maintain copies of:
- Cybersecurity policies and procedures
- Written reports provided to the board
- Records documenting your cybersecurity annual review and risk assessments
- Any report of a significant fund cybersecurity incident
- Records documenting the occurrence of a cybersecurity incident, including records related to any response and recovery from an incident
To that end, the SEC proposal includes:
- Form 8-K. SEC registrants will need to use this amended form to disclose information about a material cybersecurity incident within four (4) business days after determining an incident has occurred.
- Regulation S-K, 160(d) and Form 20-F, 16J(d). You’ll use these forms to provide updated disclosures relating to previously disclosed or undisclosed cybersecurity incidents when those incidents become material and pose fiscal impact to the company.
- Form 6-K. You’ll use this form to add cybersecurity incidents in your annual submission.
Finally, there’s the matter of disclosures on cybersecurity risk management and your overall cybersecurity strategy and IT governance. Prepare to:
- Provide and describe your cybersecurity policies and procedures, including how and when you’ll assess and manage risk, and whether cybersecurity is part of your overall business strategy, enterprise governance, financial planning and capital budget process
- Define the board of directors and/or executive management oversight of cybersecurity risk, including management’s role, the role of key third parties in assessing and managing cybersecurity risk and the implementation of a cybersecurity program
- Discuss the cybersecurity expertise on your board, including disclosure in annual reports and specific proxy filings of any board member with cybersecurity expertise
Key takeaways: Even if you don’t need to be SEC compliant, internal cybersecurity controls and data protection procedures will only increase your data privacy and security. It just makes good business sense to have a cybersecurity strategy and start taking small steps now.
Not sure where to begin? Talk to our cybersecurity experts. They can help you get started and ease into the transition when the time comes. To learn more, email Steve Vlasak.