Don’t Wait for the New SEC Cybersecurity Rule to Become Better Stewards of Data

Financial firms are doing business in a golden age for cybercriminals. In 2022, web application and API attacks against financial services firms grew by 257%. Policymakers are amplifying the call for financial institutions (FIs) to become better stewards of investor data. 

The White House released its National Cybersecurity Strategy in March, toward the ultimate objective of protecting investors and the integrity of the financial markets. Shortly after, the SEC reopened the comment period on the 2022 proposed Cybersecurity Rule 206(4)-9, which provides registered investment advisers, asset managers and funds with a set of rules governing cybersecurity reporting, disclosure and governance.

Whether an FI is ahead of the curve or behind the pack on reporting cyber risk to stakeholders, it is inadvisable to wait until the SEC’s rules kick in to begin a path to compliance. Asset managers can immediately educate themselves on the new requirements and pre-empt the SEC by codifying and fortifying their attack incident reporting processes, customer notification processes and written cybersecurity policies and procedures. 

Now that the public comment period is closed, what are the top elements compliance leaders at broker-dealers, clearing agencies and other market entities should be looking at when considering cybersecurity compliance?

Assess cyber risk to build cyber resilience

The SEC rules are a call-to-arms for asset managers to bolster cyber risk resilience. Compliance leaders will be asked to provide written proof that they understand and address all cyber risks, including categorizing and prioritizing cybersecurity risks associated with their information systems. And these risk assessments are not merely a one-off action. 

Advisers and funds will be required to conduct yearly assessments that take into account info sensitivity, where and how data is accessed, stored and transmitted, system access controls, malware protection and more. Financial advisers will be required to clearly document and communicate any cybersecurity risks that could affect their advisory clients and fund investors. Risk is not an immutable metric, so FIs must subsequently prioritize and address evolving risks. The attack surface will only broaden with new technologies, continued cloud migration and the proliferation of digital assets on blockchains.

For good measure, the rule will also ask for records documenting the FIs’ cybersecurity risk assessment from the past five years. Deloitte found that FI organizations around the world agree that their number one challenge is the increasingly large and complex attack perimeter to defend. As such, CEOs and boards are “increasingly calling for more sophisticated risk quantification techniques that tie into broader business risks.” Department heads should break out of their silos and collaborate with CISOs to review their current cybersecurity posture by conducting a thorough risk assessment to find vulnerabilities.

Manning the cybersecurity watchtowers

The SEC is asking that fund managers document how they detect, mitigate and remediate cybersecurity threats to, and vulnerabilities of, their information and systems. This should motivate IT leaders and CISOs to update and create official company policies for identifying suspicious behavior, including generating and reviewing activity logs, identifying potential anomalous activity, and escalating issues to senior officers whenever appropriate. Advisers and funds should develop methodical plans for monitoring, tracking and patching vulnerabilities. Proactive measures like regular penetration testing, red-teaming and compromise assessments are essential. Based upon these meticulous assessments, they should actively plug existing gaps. Further, they should also monitor industry and government sources for new threats and vulnerability information to stay on top of threat trends.

In the event of an attack

Not only must advisers and funds install policies and procedures to detect improper activity, but they will also need to document their cybersecurity incident response and recovery procedures. The SEC hopes that investors, issuers and market participants alike would benefit from knowing that these entities have in place protections fit for a digital age. The new rule would call for FIs to disclose security incidents via the proposed Form ADV-C within 48 hours and to alert customers of any compromised data within 30 days. 

Swift, accurate incident reporting is essential to stop the initial bleeding or take remedial action. Advisers and funds would also be required to describe any cybersecurity incidents that occurred over the past two fiscal years that caused substantial harm to the adviser or their clients. The SEC is seeking to motivate firms to constantly improve data security postures, as the annual assessment report will include whether any control tests were performed, document any cybersecurity incidents that occurred since the previous report and discuss any material changes to the policies and procedures since the last report.

Third-party cyber risk management

The proliferation of fintech partnerships and APIs, as well as increasing automation in general, has muddled already complicated cyber defense paradigms. Now, advisers not only worry about their own system security but also the security postures of the numerous software integrations essential for daily business. Criminals have increasingly targeted managed service providers, the software supply chain and the cloud. Under the SEC rules, compliance officers have to identify any service providers that receive, maintain, or process adviser or fund information, or that otherwise have access to their systems, and identify any cybersecurity risks associated with their access. Advisers and funds can ensure their service providers are capable of protecting important information and data systems, conducting due diligence procedures and periodic contract review processes. Robust access and identity management controls are a must-have to minimize unauthorized access to information systems.

The scale of the perceived burden is a reflection of the scale of cybersecurity risks in today’s operating environment. The current timeline for finalizing the rule continues to be pushed into the future, offering FI compliance leaders and CISOs time to adapt. Given the sensitive nature of the data and information FIs handle, the proposed new Rule 10 sets a standard that strengthens transparency, trust, and accountability between FIs and the parties with which they do business. International Monetary Fund (IMF) global research revealed that information sharing and reporting represents the top cybersecurity gap in the oversight of financial markets infrastructures. This new level of transparency will help the public and private sectors share critical information on threats to marshal collective forces to protect the securities markets.