The SEC on Cybersecurity
Cybersecurity, and related vulnerabilities, have become the focus of regulators, including the Securities and Exchange Commission. As a result, investment advisers registered under the Investment Advisers Act of 1940 should be reviewing their practices and procedures in light of the SEC’s guidance and proposed cybersecurity regulation.
Current Interpretations
The SEC has stated that certain provisions in the Advisers Act should be interpreted to require that an adviser firm have policies and procedures in place to protect its investment operations and customer information from cyberattack. Specifically, the SEC cites an adviser’s duty of care and duty of loyalty under the act.
These fiduciary obligations demand that advisers “take steps to protect client interests from being placed at risk because of the adviser’s inability to provide advisory services.” Therefore, the adviser should adopt policies and procedures, in accordance with the SEC’s compliance rule at 17 CFR Section 275.206, designed to minimize operational and other risks caused by incidents that may prohibit the advisory firm from providing its services or that would allow for the misuse of the information on the adviser’s systems.
Additionally, the SEC points to Regulation S-P (17 CFR 248.1 through 248.31), which requires that an adviser adopt written policies and procedures that address safeguards—administrative, technical and physical—for the protection of customer records and information. These requirements, in the SEC’s view, extend to protecting the firm and its customers against cybersecurity threats.
Similarly, the SEC points to its Regulation S-ID (17 CFR 248.201), which demands that advisers implement an identity theft program, including policies and procedures designed to detect attempts at, and to react to, identity theft affecting customers by electronic or other means. Finally, the agency noted that firms may be required to report to their clients certain material cybersecurity events on Part 2 of Form ADV.
In 2014, the SEC’s Office of Compliance Inspections and Examinations conducted examinations of adviser information security policies and procedures. Based on the findings, the OCIE published, in September 2015, its “Cybersecurity Initiative Report,” which summarizes the security practices it observed. And, in January 2020, the office published “Cybersecurity and Resiliency Observations,” highlighting what it deemed to be appropriate practices.
The SEC’s Cybersecurity Proposal
Notwithstanding the agency’s position that the Advisers Act already requires a firm to adopt policies and procedures designed to protect itself and its customers from cyber-related incidents, the SEC, on March 9, 2022, issued a proposed rule called Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies and Business Development Companies.
The proposed rule, if adopted in full, would establish a specific regulatory requirement to implement cybersecurity policies and procedures, “reasonably designed to address the adviser’s cybersecurity risks.” It would be unlawful for an adviser to engage in an advisory business without doing so. Such policies and procedures would need to address: 1) cybersecurity risk assessment; 2) user security and access; 3) information protection; 4) cybersecurity threat and vulnerability management; and 5) cybersecurity incident response and recovery. Further, firms would need to review such policies and procedures annually to assess their effectiveness.
The proposed rule would also create cybersecurity incident disclosure obligations. Advisers would need to report specific information regarding incidents in part 2 of the firm’s ADV and report any significant incidents to the SEC.
The Takeaway
Though the rule is not final, both the preamble and the regulatory text provide insights into how the agency might view a firm’s cybersecurity efforts. Advisers should assume that the proposed rule will be adopted in some form. Therefore, firms should review their current cybersecurity practices against the proposed rule to be ready for compliance with a final rule. Notably, the compliance burden may be substantial—particularly for small to midsize firms, which often lack the technological resources of other firms.
The DOL’s Cybersecurity Investigations
The Securities and Exchange Commission is not the only regulator concerned with cybersecurity practices.
The Department of Labor has increasingly been reviewing cybersecurity policies and procedures, including those of third-party service providers, when investigating plans covered by the Employee Retirement Income Security Act. Therefore, investment adviser firms should expect that plan sponsors will ask them for information about their cybersecurity policies in order to address requests or questions from a DOL investigator.
Further, an adviser may directly receive a request from an investigator to produce cybersecurity-related documents or may be interviewed by the investigator regarding cybersecurity procedures, though this is less common.
In its investigations, the DOL asks for substantial documentation regarding the adviser’s cybersecurity procedures and asks questions related to those procedures, as well as to the firm’s cybersecurity policies and cybersecurity liability insurance.
DOL Guidance
The document request and questions are largely based on two pieces of guidance the DOL issued in April 2021. The first of them, “Cybersecurity Program Best Practices,” was written to help advisers and other plan service providers ensure proper mitigation of cybersecurity risks—in their clients’ plans and in their own practice. The document will be the basis of the cybersecurity questions that investment advisers and other fiduciary providers can expect to receive from a sponsor client and can help them determine how they might be evaluated by plan fiduciaries or the DOL.
“Best Practices” provides 12 practices that, the DOL says, “recordkeepers and other service providers responsible for plan-related IT systems and data” should follow. Additionally, the DOL states that these practices can be utilized by plan fiduciaries in making prudent decisions on the selection and retention of service providers.
The guidance, further, outlines what the DOL says a good cybersecurity program should consist of, including components such as an annual risk assessment of the program’s effectiveness, strong access controls, reliable third-party audits of security controls, cybersecurity awareness training and a business resiliency program.
Notably, plan sponsor clients may ask to see documentation confirming that reliable third parties have reviewed the provider’s procedures—e.g., a SOC 2 report.
The second piece of guidance, “Tips for Hiring a Service Provider with Strong Cybersecurity Practices,” focuses on questions plan fiduciaries should ask regarding cybersecurity practices when considering hiring a service provider. Among other things, the DOL suggests the plan fiduciary inquire as to whether the service provider has cybersecurity liability insurance.
In the days to come, cybersecurity likely will become an issue on which the DOL will focus in all of its plan investigations. For advisers, this will especially be the case if they hold or have access to personally identifiable information of plan participants or plan assets.
A failure to honor client requests could result in a direct document or interview request, including a subpoena, from the DOL investigator. Additionally, the DOL has the power to investigate any fiduciary or nonfiduciary service provider to the plan and may do so if it learns that the provider is the victim of a cybersecurity incident that may have affected an ERISA-covered plan. —DK
David Kaleda is a principal in the fiduciary responsibility practice group at Groom Law Group, Chartered, in Washington.