Understanding the SEC’s Proposed Cybersecurity Risk Management Rules: Unpacking the Changes (Part 1)

In early February 2022, the U.S. Securities and Exchange Commission (SEC) voted on the proposal of rules regarding cybersecurity risk management for the industry, specifically for registered investment advisers, and registered investment companies and business development companies (funds).

While the public review period on the proposed changes to cybersecurity regulations ends in April, it’s important for the industry to understand the impacts of the proposed rules, as well how it relates to the SEC’s three-part mission to cybersecurity in this highly transformational and hyper-technology dependent time in society and the industry.


Breaking Down the Rules

The four proposed changes are not surprising, as many participants in the industry have already implemented some of these requirements within their firm’s policies and procedures. In fact, many firms today already practice the needed protocols, but the memorialization and effective practice is the essential part of the proposed changes.

From the SEC’s Fact Sheet: Cybersecurity Risk Management, the proposal requires:

  1. The adoption and implementation of adequately designed written policies and procedures that focus on cybersecurity risks. The proposed rules detail the general, yet essential, components that should be included within the cybersecurity section or portion of the firm’s policies and procedures. These factors would address operational risks, like unauthorized access.
  2. Informing the Commission of any, and all, significant cybersecurity events, attacks, and/or breaches on the proposed Form ADV-C. While still confidential, the intent is to increase the effectiveness and enable the ability of the Commission to monitor and evaluate the effects of cybersecurity incidents, identify trending risks and patterns, as well as assess the potential impacts that affect the financial industry.
  3. Enhancing the disclosures to prospective and current clients related to cybersecurity incidents. While disclosures to prospective and current clients on the Form ADV brochure is a current expectation, the proposed rule necessitates an area of the disclosure specific to cybersecurity risks and incidents.
  4. Sufficient creation and maintenance of cybersecurity-related books and records. While the Advisers Act currently dictates the need for maintaining, making, and retaining books and records, the proposed change includes that firms maintain specific records that directly address the cybersecurity risk management rules.

But understanding the proposed rules is just the first step. With these possible changes on the horizon, firms and the industry need to start making the needed adjustments to their compliance programs. Within this 4-part blog post series, the team at Core Compliance & Legal Services, Inc.SM (“Core Compliance”) will unpack and provide proactive steps and insight to each of the proposed rules.

In the meantime, Core Compliance can assist you and your firm in navigating next steps of the proposed rules and make recommendations specific to your circumstances and address these proposed amendments. For more information or assistance, please contact us here or at (619) 278-0020.