Understanding the SEC’s Proposed Cybersecurity Risk Management Rules: Reporting of Significant Cybersecurity Incidents (Part 3)

So far in this blog post series we’ve covered the understanding of the proposed rules and how to start implementing within your firm. When it comes the proposed cybersecurity regulations announced by the U.S. Securities and Exchange Commission (SEC), we find that it is best to dissect each section into manageable parts, as each component is critical part of your firm.

One of the critical areas within the proposed rules requires advisers to report significant cybersecurity incidents by submitting a new Form ADV-C.

It is imperative that firms are mindful that even the smallest breach of network data or non-public information a client provides would need to be reported to the SEC, if deemed significant or material.  The proposed rule defines a significant adviser cybersecurity incident as a cybersecurity incident, or a group of related incidents, that significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in: (1) substantial harm to the adviser, or (2) substantial harm to a client, or an investor in a private fund, whose information was accessed.

This proposal includes a 48-hour reporting timeline which could pose potential problems for many firms, especially when forensic analysis is required. Below are some proactive steps firms can take to meeting this reporting requirement.

Proactive steps:

  1. Review. Review. Conducting initial and ongoing due diligence of service providers routinely is essential. As part of the due diligence process, ensure appropriate attention is given to cybersecurity protocols. This is to ensure your firm has the necessary information to maintain compliance with the proposed rule.
  2. Notifications and Triggers. When drafting your policies and procedures (“P&Ps”), firms should assign responsibility for making timely notifications and determine which cybersecurity breaches would trigger the 48-hour notification requirement. It is also crucial that within the firm’s P&Ps, firms make certain all relevant information is included in the cyber policy.


How We Can Help

As many firms and advisors have shifted into a more digital and remote work landscape, so should your compliance program. This shift/need has also caught the eye and attention of numerous regulatory agencies.

The team at Core Compliance & Legal Services, In. SM (“Core Compliance”) can assist with not only assessing your firm’s protocols to identifying cybersecurity risks and reporting cyber threats and attacks, but we can make recommendations specific to your circumstances and address these proposed amendments. For more information or assistance, please contact us here or at (619)278.0020.