Understanding the SEC’s Proposed Cybersecurity Risk Management Rules: Disclosure of Cybersecurity Risks and Incidents & Recordkeeping (Part 4)

In this four-part blog post series, we’ve been discussing proactive steps to the proposed changes to cybersecurity regulations announced by the U.S. Securities and Exchange Commission (SEC).

To read, Understanding the SEC’s Proposed Cybersecurity Risk Management Rules: Unpacking the Changes (Part 1)

To read, Understanding the SEC’s Proposed Cybersecurity Risk Management Rules: Where to Start (Part 2)

To read, Understanding the SEC’s Proposed Cybersecurity Risk Management Rules: Reporting of Significant Cybersecurity Incidents (Part 3)


In this final blog post, we’re discussing the impacts and best practices to disclosure and recordkeeping.

As majority of the 2022 Form ADV filing requirements are passed for most firms, the industry will still have to adjust for the disclosure needs ahead for 2023. Preparing for these shifts in disclosure and creating the policies and procedures for reporting and record keeping are needed to start now more than ever.

Under the  proposal, firms would be required to amend Form ADV Part 2A to disclose cybersecurity risks and incidents to an adviser’s clients and prospective clients. These  disclosures must include information about the likelihood a cybersecurity risk or incident could occur, what safeguards are in place to prevent it, and whether such incidents could harm clients.

Proactive step:

  1. Hire a consultant, a cybersecurity firm, or a third-party compliance partner, to ensure all disclosures are accurate and supported by objective evidence and documentation since this will be an area of scrutiny during SEC examinations.



Under the proposed rules, firms would also be required to maintain certain records related to their cybersecurity risk management rules and the occurrence of cybersecurity incidents.

Proactive steps:

  1. Maintain a copy of the current cybersecurity policies and procedures and all previous iterations.
  2. Maintain a copy of the the annual review of the firm including a review of cybersecurity policies and procedures.
  3. Keep records on any cybersecurity incident, Form ADV-C filed, and records documenting every cybersecurity risk assessment in the last five years.


An Ambitious 2022 Regulatory Agenda

The SEC is considering more than 50 regulatory proposals under Chair Gary Gensler. The regulatory landscape is rapidly changing and placing greater importance on firms to maintain accurate and thorough policies and procedures in cybersecurity, fiduciary duty, the protection of senior investors, and much more.

The specialized experts at Core Compliance & Legal Services, Inc.SM (“Core Compliance”) can assist your firm’s compliance efforts when it comes to your specific cybersecurity assessment and compliance program needs. Our team is here to act as an extension of your firm, so you can focus on clients during market volatility caused by pandemics, geopolitical concerns, and other unforeseen challenges. For more information or assistance, please contact us here or at (619) 278-0020.