Understanding the SEC’s Proposed Cybersecurity Risk Management Rules: Where to Start (Part 2)

With the alarming increase in ransomware, cryptojacking, phishing and other related cyberattacks, the Securities and Exchange Commission (SEC) proposed new rules are designed to enhance cybersecurity preparedness to maintain orderly markets and protecting investors against cyber fraud.  The proposed rule was release on February 9, 2022 with the public comment period ending on April 11, 2022.  The number of recent cyberattacks being waged has made it clear significant regulatory change is coming and there are proactive steps advisers can take.

In our last blog post, we unpacked the SEC’s four proposed requirements to the Cybersecurity Risk Management Rules. Now we continue the series, with blog posts focusing on proactive steps to each of the proposed changes.

To start, firms should familiarize themselves with cyber protection expectations. Aside from the proposed rules, other guidance has been provided by the SEC, including the Cybersecurity Risk Management Fact Sheet.

Three Proactive Steps to Start

Under the proposed rules, the SEC would require advisers and funds to adopt and implement policies and procedures reasonably designed to address cybersecurity risks. The policies and procedures must address operational and other risks that could harm clients and investors or lead to the unauthorized access to non-public information, including personal information of their clients or investors.

Firms have the responsibility of ensuring all of their systems and data are captured and protected by existing risk-management processes, including data monitored by third-party providers.  Under the new rule, there is a requirement to formally adopt a risk management framework to address these elements and enacts a preparedness plan for when, not if, a cyber attack happens.

Proactive steps:

  1. Perform a cybersecurity risk assessment. Determine where the risks are located [prevalent].
  2. Perform a review of previous cyber breaches, even as simple as a phishing email. Prepare a report that describes the review, explains the results, documents any incidents that have occurred, and discusses any material changes to policies and procedures. Include provisions for testing going forward.
  3. Stay informed of all rule changes and enforcement initiatives.
  4. Hire a compliance consultant to conduct the risk assessment and assist in evaluating policies, procedures and disclosures.


How We Can Help

For advisors who haven’t been through this before or don’t have the resources to hire a cybersecurity firm, a best practice is to hire a consultant to not only assist or preform a cybersecurity risk assessment, but to help your firm create and navigate a strategy or action plan.

The team at Core Compliance & Legal Services, In. SM (“Core Compliance”) can assist/preform a cybersecurity risk assessment and make recommendations specific to your circumstances and address these proposed amendments. For more information or assistance, please contact us here or at (619)278.0020.