How to Stay Safe From Evolving Cybersecurity Threats

To minimize the impact of potential cyberattacks, organizations should work with investment managers on complying with the Securities and Exchange Commission’s new cybersecurity rules, should adopt prevention measures against threats and should be prepared to respond if an attack happens, experts said at the “Best Practices for Cybersecurity Protection” session of PLANADVISER’s Cybersecurity livestream on October 12.

Percy Lee, an associate at Ivins, Phillips & Barker, Chartered, discussed the SEC’s new cybersecurity rules, which apply to public companies, registered investment advisers, investment companies and broker/dealers.

“These rules have generated a lot of conversation since they were introduced last year, some backlash, so the rules have been delayed for now [for certain organizations],” said Lee.

There are two sets of new SEC cybersecurity rules. The first set of rules governs publicly traded companies and was finalized on July 26, despite industry pushback. This rule takes effect this year, with initial disclosure requirements effective December 18, with later dates for smaller reporting companies.

The second set of rules governs registered investment companies and investment advisers and would require them to adopt cybersecurity policies and report digital incidents. This rule was proposed in 2022 and remains on the SEC’s rulemaking agenda but the specific timeline for finalization remains unknown.

“According to the rules, which were brought forward by the SEC in July, registered investment advisers, investment companies and broker/dealers would have to adopt written cybersecurity procedures and report cyber security incidents,” Lee said.

Although these investment advisory rules do not apply to retirement plan fiduciaries in general, he recommended that producers ask their investment managers about their compliance.

“As far as the SEC rules goes, it’s important to understand … that’s for public companies now, but obviously I think that’s going to make its way to even private firms that aren’t traded,” said Nick Brezinski, director of information security and network at CAPTRUST.

Brezinski urged firms to adopt good cybersecurity practice now to get to a “good spot” before the SEC settles on its requirements, and Roger Grimes, a data-driven defense “evangelist” at KnowBe4 Inc., agreed.

“I think it’s always good for any organization to think about what the rules are that apply to you and how you would respond if you got hit by some cybersecurity incident,” Grimes said. “Just a ton of people have been hit by ransomware over the last couple of years.”

Grimes proposed that firms have a plan in place for if a cybersecurity incident were to hit. He recommended to the virtual audience that they know who to reach out to, whether it be a communications team or a group of consultants.

“You don’t want to be making those sorts of decisions in the midst of the crisis,” he said. “It’s nice to have a thoughtful plan ahead of time. If the worst happens, you can approach it in the best way.”

Grimes said institutional investors, plan sponsors and advisers should:

• Be cautious of social engineering such as fake emails and websites;
• Mend unpatched software;
• Regularly update software, firmware and routers; and
• Use multifactor authentication and different passwords for every site as preventative measures.

“Those four things,” he said. “If you can do them, it will probably mean that you’re very unlikely to get compromised.”