New SEC Cybersecurity Rules: What They Mean and How to Prep

While no company can reasonably be expected to fully eliminate risk, advisors are typically held to a higher standard for protecting data since they deal directly with client funds. These standards are always evolving; last month, the SEC proposed a new set of cybersecurity rules and requirements that could have major implications for the way advisors work. 

In this post, we’ll look at these changes and what they could mean for you. We’ll also outline a five-step plan you can start on today that will make it easier to adapt when these changes — or other similar regulatory requirements — are enacted. Let’s get going! 

Proposed Rule #1: Risk Management

The first proposed cybersecurity rule from the SEC requires all firms to “adopt and implement policies and procedures that are reasonably designed to address cybersecurity risks.” In other words, all advisors must outline a risk management strategy of some sort. 

This rule would also require advisors and funds to conduct an annual cybersecurity risk assessment in order to assess, categorize, prioritize and draft written documentation of the cybersecurity risks associated with their information IT systems. 

If you’re not sure where to start with this, we will help you out later in this article.

Proposed Rule #2: Reporting 

The proposal would also require advisers to report significant cybersecurity incidents to the SEC. This includes any incidents that disrupt the advisor’s ability to maintain critical operations.

Advisors will need to report any incidents to the SEC in a confidential ADV form.  This will allow the SEC to better monitor and evaluate the effects of any cybersecurity attacks, and address any potential systemic risks.

Proposed Rule #3: Disclosure

The third proposed rule change would require advisors to publicly disclose previous cybersecurity risks or incidents. Any incidents in the past two fiscal years would need to be included alongside business practices, fees, risks, conflicts of interest and disciplinary information in Part 2A of a firm’s annual ADV reporting. 

This rule would also apply to funds and require that prospective and current investors be provided with cybersecurity-related disclosures in the fund’s registration statement.

Proposed Rule #4: Record keeping

The last proposed rule change would make a change to traditional record keeping. Advisers would be required to maintain internal records related to the proposed cybersecurity risk management rules and the occurrence of cybersecurity incidents. 

For funds, proposed rule 38a-2 would require that they maintain copies of their cybersecurity policies, procedures and other related records.

How to Prepare Your Practice

It isn’t yet clear how or when the proposed SEC rule changes for cybersecurity will be enacted. But the writing is on the wall — in the months and years to come, firms will be required to implement tighter cybersecurity controls and more accurate incident reporting. Fortunately, there are steps you can take today that will make this transition easier. 

Setting up a cybersecurity plan is very similar to a football team getting ready for a game. The team spends at least a week working on their own playbook, learning the ins and outs of their opponent, and establishing a game plan. Once the game has started, the team also has to be ready to adapt on the fly depending on what the other team does.

Think of your firm’s cybersecurity strategy in the same way. 

First, you have to evaluate your own practice and your biggest potential risks, so you can get your own strategy in place. Then, once the strategy is in place, you will be constantly tweaking and adapting it depending on what types of cybersecurity threats are thrown at you.

Fortunately, while cybersecurity is a tough, ongoing fight, it’s also not something that requires a Master’s in computer science.

There is no one-size-fits-all approach when creating a cybersecurity strategy as every business need is unique. But the best place to start is with the National Institute of Standards and Technology (NIST) cybersecurity framework, which outlines 5 key areas: 

1. Identify
2. Protect
3. Detect
4. Respond
5. Recover

Let’s briefly go into each pillar of the NIST framework and translate it into an actionable guide, with immediate steps that you can take for your firm.  

Pillar 1: Identify

The first pillar starts us off by identifying what the rules are and what you need to track. This involves reviewing your critical processes and assets (hardware and software) and looking at how information flows through your organization; from there, identify potential weak spots and review your existing policies to see if they are adequate. 

What to do today: 

• Make an inventory of your technology assets (computers, tablets, phones) 
• Map out how data flows through your organization to see where vulnerabilities lie

Pillar 2: Protect

Once you know the risks and what to track, you can begin to harden your position against attacks. This happens on several levels; first you need to review who has access to what. Then, you need to take steps to prevent unauthorized access and mitigate the risk of a cybersecurity event.

What to do today:

• Review access to sensitive data; set up appropriate password policies and privileges
• Turn on scheduled backups to protect sensitive data
• Review security settings on your business-critical apps 

Pillar 3: Detect

Now that you have a good plan and a rough system in place, it’s time to incorporate some tools that will keep your IT infrastructure protected on an ongoing basis. This is where you’ll likely need some support from an outside vendor — CPA Preeti Shah, writing in Kitces’ Nerd Eye View blog, has a good overview of some of your options here.  

What to do today:

• Implement continuous monitoring tools to identify cyberattacks when they happen
• Create a policy for maintaining and monitoring event logs
• Create a dedicated incident response team and recovery plan

Pillar 4: Respond

At some point, even with the best security, your advisory firm will be attacked. When that happens, you’ll need to have a plan in place so that everyone knows the necessary steps to take. 

What to do today:

• Test your response plan and update it accordingly
• Reach out to external and internal stakeholders for feedback

Pillar 5: Recover

After the immediate threat has been dealt with, your organization will need a recovery plan. How quickly can you restore service? What can you learn from an incident that will prevent it from happening again? 

What to do today:

• Make a plan for how information will be shared following an attack — what do you communicate, how and to who?
• Test your recovery plan and update it accordingly
• Consider the impact of a breach on your reputation; what can you do that will put clients and stakeholders at ease?

This was a very short and to-the-point explanation of the five pillars. We recommend that you check out the complete NIST framework and study more here.