Cyber Ready

The Securities and Exchange Commission has clearly signaled that retirement plan advisers must adopt and implement prescribed best practices for their cybersecurity programs. Cybersecurity should be a top priority for advisers, and the SEC wants better, more consistent practices combined with additional reporting and disclosure. 

On February 9, the SEC proposed new cybersecurity risk management amendments and rules for SEC-registered investment advisers and investment companies. The proposal’s comment period closed in April, and there is no date for the final release, though sources estimate the rule will be published in early 2023. The agency’s “Cybersecurity Risk Management Fact Sheet” states that the proposal will: 1) address concerns about advisers’ and funds’ cybersecurity preparedness while reducing risks for clients and investors; 2) improve advisers’ and funds’ disclosures about their cybersecurity risks and incidents; and 3) improve the SEC’s ability to assess systemic risks and oversee advisers and funds. 

Prescriptive Proposal 

Each of the proposal’s three categories contains detailed guidance on what the SEC expects for compliance, stressing that adhering to the new rules is mandatory even if the cost to do so is a challenge. Per the proposal: “In the extreme, we expect that registrants with no current cybersecurity policies and procedures would have to bear substantial costs.” 

The proposal incorporates established best practices with multiple references to existing guidance from the National Institute of Standards and Technology and the Cybersecurity and Infrastructure Security Agency. The SEC allows advisory firms flexibility with implementation, however, recognizing that “there is not a one-size-fits-all approach to addressing cybersecurity risks.” 

The agency has taken a stronger position with this proposal than in its previous cybersecurity guidance. “While in the past the SEC has focused more on recommendations and best practices, now the agency is shifting its stance to implementing a prescriptive rule set and creating accountability,” according to technology consulting firm ECI’s report “New SEC Rules for Cybersecurity Risk Management: How Investment Advisers and Funds Should Respond Today.”  

Cybersecurity Risk Management 

The proposal’s cybersecurity risk management section lists multiple requirements, with an overarching theme that informal, ad hoc cybersecurity plans will no longer suffice. The required actions start with “periodic risk assessments” to identify and classify a firm’s digital assets and the possible risks to those assets. For example, where does a firm’s data reside? Which technology partners and outsourced service providers have access to the adviser’s information systems? What is the potential impact of a cybersecurity incident?

The SEC notes that assessments should be updated at least annually, or more frequently if a firm makes significant changes to its operation, such as moving to a new cloud service provider, for instance. 

“Look at internal and external risks,” says Jason Vinsonhaler, director of compliance for RIA in a Box in New York City. “Have an inventory of devices, vendors and services the firm uses so you have an idea of exactly what your specific risks are, because each firm will look a little different. You want to have that basis for creating an effective policy and procedure related to cybersecurity.” 

“User security and access controls” are required to restrict system and data access to authorized users. These steps include implementation of a written acceptable-use policy that imposes constraints such as limited-duration access to specified datasets. Least-privilege access is another procedure that restricts the availability of data to only what is required for the user’s work. The proposal calls for authentication measures that require users to provide two or more credentials for access, such as multifactor authentication or geolocation verification. These controls should also apply to clients’ access to system information, the SEC says. “We think MFA is crucial for email and any major line of business application,” says Daniel Aronowitz, managing principal in Euclid Insurance, a fiduciary liability insurer in Vienna, Virginia. “We think it’s the bedrock of cybersecurity.”

“User security and access controls” are required to restrict system and data access to authorized users.  

Advisers must adopt, document and review their cybersecurity risk-reduction “policies and procedures” at least annually. These documents identify policies, workflows, actions to be taken and the parties responsible for each action for ongoing security maintenance and incident responses. Per the SEC proposal, the adviser should document the annual review, assessment and any control tests performed; document any cybersecurity incidents that occurred since the date of the last report; and discuss any material changes to the policies and procedures also since the last report. 

John Eckenrode, a director in the cybersecurity solutions team’s advanced solutions sector with consulting firm Guidehouse in Washington, D.C., supports the policies and procedures requirement. He says it forces organizations to consider how they would respond to an incident and to establish timelines so they can respond in the amount of time the SEC deems appropriate. “The velocity of onset for cyberattacks today is such that you can’t say, ‘We’ll figure it out when it happens,” says Eckenrode. “You must have a plan in place. You’ve got to have your communication processes established to the point where you almost have draft messages because you kind of know the types of messages you must convey. There’s simply not time to figure it out after it happens.”  

The proposal prescribes “information protection and threat and vulnerability management” methods extensively. Recommended data protection techniques include mobile device management; data segmentation; encryption; and systems testing, including penetration tests. Advisers must document that they require service providers with access to the firm’s system to meet the same standards. The SEC is clear that, while an adviser may outsource a function and use a third-party system such as Schwab’s, he may not outsource responsibility and remains ultimately accountable for cybersecurity, according to Rich Itri, chief innovation officer with ECI in Boston. 

According to ECI, the SEC’s expectation that firms should deploy technology that will continuously monitor their systems for threats and vulnerabilities is a significant development. “Many firms lack an integrated platform for monitoring, alerting about, responding to, and remediating cyberattacks,” the ECI report claims. “They might use piecemeal solutions that address some of these needs in some contexts. But many don’t currently address threats and vulnerabilities in the comprehensive fashion the SEC is now calling for.” 

“Recordkeeping” requirements will expand with an amendment to the Investment Advisers Act Rule 204-2, the books and records rule. Advisers must keep copies of their cybersecurity policies, annual reviews, risk assessments, incident-reporting Form ADV-C and any documents regarding incidents for five years.  

Incident Reporting  

The proposal’s second main category includes Rule 204-6, which requires SEC-registered advisers to report “significant cybersecurity incidents” to the agency on a revised Form ADV-C. The form’s initial draft is included at the end of the proposal, and it asks 16 questions about cybersecurity incidents and an incident’s status and impact. Form ADV-C submissions would be confidential and filed electronically through the Investment Adviser Registration Depository, or IARD, platform. 

There are two potential challenges with Form ADV-C submission. The first is determining whether an incident qualifies as significant and warrants filing. The proposal offers guidance by defining a significant incident as one or a group of incidents “that significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in: 1) substantial harm to the adviser, or 2) substantial harm to a client, or an investor in a private fund, whose information was accessed.” 

It likely will take some time for the advisory industry and the SEC to settle on what constitutes a significant incident, says Itri. He suspects the agency kept the definition intentionally broad because it wants the information and also wants to prevent advisers from exercising too much judgment and opting out of reports. Itri says that approach could generate a large volume of unnecessary reports that will lead the SEC to tighten its reporting policy after the final rule has been effective for a year or so. 

Meeting the Form ADV-C filing deadline could be another challenge. A report from the Kirkland & Ellis LLP law firm notes that an incident report must be filed with the SEC “promptly, but in no event more than 48 hours after having a reasonable basis to conclude that an incident has occurred or is occurring.” The emphasis is on filing promptly, according to Kirkland & Ellis: “The proposed rules emphasize that advisers should not wait until after definitively concluding that an incident has occurred or is occurring.” 

New Disclosures 

The proposal’s third main category amends an RIA’s publicly available Form ADV Part 2A to include a discussion of material cybersecurity risks. The Form ADV Part 2A regulations, also called the “brochure rule,” spell out the minimum information that an adviser must provide new clients and periodically update with existing clients.  

Kirkland and Ellis report that the proposed rule would amend Part 2A to include a new section. The additional text would include a plain-English disclosure of risks that could “materially affect the advisory services provided by the adviser, and how the adviser assesses, prioritizes and addresses cybersecurity risks created by the nature and scope of their business.” 

The SEC uses a forward-looking argument for the disclosure requirements. Even if a cybersecurity risk has not led to an incident, it can be considered material to an adviser’s advisory relationship with his clients “if there is a substantial likelihood that a reasonable client would consider the information important based on the total mix of facts and information.” Also, the proposal’s definition of materiality makes frequent use of the “could” qualifier in its requirements, with language such as could disrupt the adviser’s ability to provide services; could result in the loss of adviser or client data; or could harm, or has harmed, clients. 

Kirkland & Ellis points out that, besides the forward-looking analysis, advisers must disclose any incidents in the past two fiscal years that “have significantly disrupted or degraded the adviser’s ability to maintain critical operations, or that have led to the unauthorized access or use of adviser information, resulting in substantial harm to the adviser or its clients.”  

The SEC will want to see specific items in the incident disclosures: the entity or entities affected; dates of discovery and the incident’s status; whether any data was stolen, altered, accessed or used for any other unauthorized purpose; how the incident affected the adviser’s operations; and whether the adviser, or service provider, has remediated or is currently remediating the incident. 

Advisers must deliver Form ADV Part 2A amendments promptly. The SEC does not specify a delivery time limit, but the proposal’s language emphasizes speed: “… the timing of the brochure amendment delivery should take into account the exigent nature of cybersecurity incidents, which would generally militate toward swift delivery to clients.” 

Possible Business Implications 

As the cost and complexity of dealing with cybersecurity regulations increases, it raises a question of how small and midsize RIAs will cope. Outsourcing is an obvious answer.  

Merging or partnering with a larger RIA could be another solution. Jon Meyer, chief technology officer with RIA firm CAPTRUST in Raleigh, North Carolina, says the firm has 52 persons on its IT staff with seven working solely on security and networking. Smaller firms cannot match this dedicated expertise, which makes mergers and alliances with larger RIAs such as CAPTRUST attractive.

Art by Lars Leetaru