The Cybersecurity Evergreen: How Regulators Are Growing Their Focus on Cyberthreats and Protections

Today’s securities markets operate in a complex and seemingly instantaneous environment accelerated by the exponential growth of computing power and interconnectivity. This evolving market space has provided enormous opportunities for investors and investment professionals alike. The same can also be said for those who seek to misuse and manipulate markets, investment firms, investors, and more.

 

As we have moved more and more towards a cyber-based economy, those involved in malicious activity are continuously on the leading edge of complex, sophisticated schemes to achieve their goals. The SEC and other securities regulators are working diligently to provide proactive rules and guidance for protecting the investment market participants and their assets.

 

The Rise of Virtual Client Servicing

Two years ago this month, our country, along with many others, began implementing social-distancing measures due to the outbreak of the COVID-19 virus. People everywhere began the process of working from home, where possible, and companies had to adapt their methods of serving clients remotely. In the time since the initial pandemic measures went into effect, client servicing has developed more as an electronic interaction through email, interactive video or phone call with electronic record and signature solutions.

Well before the COVID-19 pandemic hit, many firms across a multitude of industries began adopting paperless recordkeeping and processing protocols. However, according to the data, the implementation of e-document and cloud-based storage solutions was fast-tracked as firms adjusted to remote work. With this move to creating, storing, accessing, and sharing documents from multiple remote locations, came the risk of unauthorized access. The global end-user spending on public cloud services grew 23% from $270 billion in 2020 to an estimated $332 billion in 2021[1]. During that same period, cloud storage leaks increased 150% in 2021 over 2020[2].

 

Risk vs Reward

The investment securities industry is familiar with risk vs reward, as well as the need to mitigate as much risk as is possible. When it comes to “cyber servicing”, a firm’s ability to continue delivering ongoing, quality service to investors in a remote environment is, no doubt, rewarding in terms of the firm’s bottom line. Firms able to adapt and pivot in the fast-changing, socially distanced world have been rewarded with client retention and growth. But, at what risk?

Recently, Gary Gensler, Chairman of the Securities and Exchange Commission (“SEC”),  said,

“State actors and non-state hackers alike sometimes try to target various entities and businesses. Why? To steal data, intellectual property, or money; lower confidence in our financial system; disrupt economies; or just demonstrate their capabilities. All this puts our financial accounts, savings, and private information at risk. The economic cost of cyberattacks is estimated to be at least in the billions, and possibly in the trillions, of dollars.”[3]

In addition to the large financial risks for both firms and investors, firms also face reputational risk. Investors trust securities professionals with their life savings, including retirement, college savings, and their overall net worth, as well as all the private, non-public information needed to open and maintain these accounts. A breach of that trust could result in an exodus of clients who no longer have confidence in the protection of their assets and non-public personal information.

Even before the pandemic hit, the SEC’s Division of Examinations (“EXAMS”), known then as the Office of Compliance Inspections and Examinations (“OCIE”), released their “Observations on Cybersecurity and Resiliency Practices”[4], which described the areas observed by OCIE at firms with more robust systems, policies, and procedures in place to help reduce the cybersecurity risks on an enterprise level. Those observed areas include:

  • Governance & Risk Management
  • Access Right & Controls
  • Data Loss Prevention
  • Mobile Security
  • Incident Response & Resiliency
  • Vendor Management
  • Training & Awareness

A detailed assessment and annual testing in each of these areas to determine gaps and strengths are an essential part of a cybersecurity program, especially with the increasing attempts at unauthorized and illegal electronic access. By reducing the cyber risks to the company and clients, firms could be rewarded with client retention, trust, and growth.

 

Recognizing the 21st Century Threats

Recent data breaches, such as SolarWinds[5], Experian[6], and Robinhood[7], have made the scope of vulnerability and risk a top priority. Additionally, Chairman Gensler addressed another potential risk in his recent speech saying, “The events of the past couple of weeks in Russia and Ukraine have once again highlighted the importance of cybersecurity to our national interest.”[8]

Where regulators such as the SEC were applying growing focus on cybersecurity before, Chairman Gensler’s comments and the recently proposed “Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies”[9] show the SEC and other regulators are working to both recognize the increasing cybersecurity threats and provide protections for investors and markets. As we make our way through the third decade of the 21st Century, it is apparent the SEC is making efforts to meet the ever-changing threats with policy rules for firms to recognize, react, and report on those threats quickly and accurately.

 

The Proposed SEC Cybersecurity Risk Management Rules and Amendments

So, what is the SEC proposing regarding cybersecurity risks and protections, and how does that affect firms?

Specifically, the proposal would:

  • Require advisers and funds to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks;
  • Require advisers to report significant cybersecurity incidents to the SEC on the proposed Form ADV-C;
  • Enhance adviser and fund disclosures related to cybersecurity risks and incidents; and
  • Require advisers and funds to create, maintain, and retain certain cybersecurity-related books and records.

As part of the proposal, new rule 206(4)-9 under the Advisers Act and new rule 38a-2 under the Investment Company Act would be created to require firms to enhance their policies and procedures to address operational and other risks which threaten to harm firm clients and investors and/or could allow unauthorized access.

The proposed new rule 204-6 would create a new Form ADV-C, a confidential report used to submit “significant cybersecurity incidents to the Commission, including on behalf of a fund or private fund client”[10].

An amendment has been proposed to add Item 20 to the Form ADV Part 2A to be titled “Cybersecurity Risks and Incidents” under which investment advisers would be required to describe cybersecurity risks that could “materially affect the advisory services” offered by the firm, how the firm identifies, prioritizes, and addresses those risks, and discloses any cybersecurity events within the last two fiscal years. Additionally, an amendment to rule 204-3(b) has been proposed to require investment advisers to “promptly” deliver interim Form ADV Part 2A brochure amendments to current clients when a disclosure event has been added to Item 20 or when the firm “materially revises information already disclosed” about a previously disclosed cybersecurity event.

The prosed amendment noted above would also include the reporting requirements for funds to provide similar disclosures related to cybersecurity incidents in the funds’ registration statements, as well as amendments to Form N-1A, Form N-2, Form N-3, Form N-4, Form N-6, Form N-8B-2, and Form S-6.

Finally, an amendment to Rule 204-2 of the Advisers Act has been proposed to require investment advisers to create and maintain records relating to cybersecurity events and the proposed rule changes & amendments. Likewise, proposed rule 38a-2 of the Investment Company Act would require the same for funds.

 

Conclusion

As the world has adapted to more remote, online interactions, so has our data and record sharing. This accelerated transition has provided many opportunities for retail clients, investors, firms, and markets. Unfortunately, the opportunities come with costly risks. The recognition of those evolving risks has led the SEC and other regulators to create momentum to cybersecurity risk mitigation in an attempt to keep pace with the developing threats. How is your firm positioned for these risks and the proposed changes?

The Core Compliance team can assist firms with preparing cybersecurity assessments and updating procedures. For assistance or more information about our services, please contact us at (619) 278- 0020 or visit us at www.corecls.com for more information.

 

Author:  Core Compliance & Legal Services (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, hedge funds, private equity firms and banks on regulatory compliance issues.

This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.

 

[1] https://www.gartner.com/en/newsroom/press-releases/2021-04-21-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-grow-23-percent-in-2021

[2] https://finance.yahoo.com/news/cloud-storage-leaks-grew-150-174000642.html

[3] https://www.sec.gov/news/speech/gensler-cybersecurity-and-securities-laws-20220124

[4] https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf

[5] https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic

[6] https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related

[7] https://blog.robinhood.com/news/2021/11/8/data-security-incident

[8] https://www.sec.gov/news/speech/gensler-cybersecurity-and-securities-laws-20220124

[9] https://www.sec.gov/rules/proposed/2022/33-11028.pdf

[10] Id.

Leave a Reply

Your email address will not be published. Required fields are marked *