SECs Cybersecurity Rules for Investment Advisers


Table of Contents


The SEC is on the brink of adopting new cybersecurity risk management rules, which are set to transform the landscape for financial advisors and investment companies.

These forthcoming rules encompass Rule 206(4)-9 under the Advisers Act, Rule 38a-2 under the Investment Company Act, and updates to Rule 204-2 of the Advisers Act, originally proposed on February 9, 2022.

It is imperative to understand that the forthcoming SEC rules are not just mandates; they are a blueprint for fortifying our defenses against the increasingly sophisticated cyber threats.

Michael Kourkoulakos, CEO of NENS

Following the recent finalization of a cybersecurity rule for public companies, industry insiders are increasingly confident that the rules for private funds are on the horizon. However, a specific timeline for finalization remains uncertain.

Preparing for upcoming changes while dealing with uncertainty can be tricky. If you want to start getting ready without the risk of doing unnecessary or redundant work, this guide will introduce you to everything you need to know.


Who These Rules Are Expected to Impact

The proposed rules will affect various groups, not just within the financial sector.


Registered Investment Advisers(RIAs), Registered Investment Companies (RICs), and Business Development Companies (BDCs)

These entities are poised to see direct impacts. The regulations may necessitate ensuring their service providers—like custodians, brokers, dealers, pricing services, and technology vendors—have strong cybersecurity measures.

Service Providers

The new rules could require service providers to bolster their cybersecurity frameworks, possibly affecting their operations and leading to increased cybersecurity compliance costs.

Clients of Registered Investment Advisers, Companies, and BDCs

These are the clients of registered investment advisers, companies, and business development companies. They can be individuals or organizations.

Investors in Registered Investment Companies and BDCs

These investors channel their funds into managed investment vehicles like mutual funds, ETFs, and BDCs. The group encompasses individual retail investors, institutional investors, and others aiming for specific financial returns through collective investment strategies.

Even a Minor Cyber Attack Can Have an EXTREME Cost

That’s when cyber insurance can save your business. Learn more about it

Learn More


In a Nutshell: Preparing for the Rules

Action Item Description Importance
Conduct a Cyber Risk Assessment Identify and prioritize potential cybersecurity threats to your organization. Critical
Update Cybersecurity Policies Annually Ensure policies are robust, up-to-date, and cover key areas outlined by the SEC. High
Enhance Service Provider Oversight Evaluate and ensure that third-party providers meet cybersecurity standards. High
Implement Strong User Access Controls Restrict and monitor access to sensitive information and systems. Essential
Develop a Cyber Incident Response Plan Create protocols for managing and reporting cybersecurity incidents. Essential
Regular Training and Awareness Programs Conduct ongoing education for employees on cybersecurity practices. Beneficial
Evaluate Cybersecurity Insurance Coverage Review and adjust your insurance to cover potential cyber risks adequately. Recommended
Consult Legal and Regulatory Experts Engage with specialists to understand the regulations and how they apply to your business. Advisable
Strengthen Compliance and Audit Functions Perform regular internal and external audits to ensure adherence to cybersecurity policies. Essential


Requirements Laid Down by the Proposed Rules

The proposed cybersecurity rules lay out a comprehensive framework for investment advisers, investment companies, and BDCs. Here’s an overview of the key components:

  • Cybersecurity Policies and Procedures: Establish and follow written policies and procedures specifically designed to manage cybersecurity risks effectively.
  • Risk Assessment: Regularly evaluate and document the cybersecurity risks associated with information systems and the stored data. This involves identifying which service providers have access to data, assessing the potential risks linked to these third parties, and prioritizing these risks for action.
  • User Security and Access: The policies should include strategies to reduce risks tied to user access and prevent unauthorized entry into the systems. This encompasses setting up user behavior guidelines, verifying user identities, controlling access levels, and safeguarding technologies used for remote access.
  • Information Protection: Safeguard information from unauthorized access or misuse. This protection must be continually reassessed and should include limiting access to critical data and defending against malware.
  • Threat and Vulnerability Management: There needs to be an ongoing effort to identify, lessen, and rectify cybersecurity threats and vulnerabilities to maintain system integrity and security.
  • Cybersecurity Incident Response and Recovery: Have protocols in place for detecting, addressing, and recovering from cybersecurity incidents to ensure continuous operation. This includes protecting systems and data, as well as setting up communication channels for sharing information about incidents internally and externally.
  • Reporting of Significant Cybersecurity Incidents: If a significant cybersecurity incident occurs, registered investment advisers, companies, and BDCs must report this to the SEC, detailing the impact on operations or clients.
  • Disclosure: The rules propose changes to certain forms to require disclosures about significant cybersecurity risks and incidents that could impact advisers, funds, and clients or investors.
  • Recordkeeping: There are proposed new requirements for keeping records that demonstrate compliance with these cybersecurity protocols under both the Advisers Act and the Investment Company Act.


Be Brave Enough to Take the Test!

Score your team’s security readiness with this quick 4-minute test

Learn More


How Things May Change for You

Increased Cybersecurity Measures

You will need to step up your cybersecurity efforts. This means creating clear rules and procedures, regularly checking for cyber risks, managing who can access what information, and ensuring data is protected.

Using more advanced security technology and methods, you’ll also need to be better at spotting, stopping, and recovering from cyber-attacks.


Recordkeeping and Documentation

The new rules require detailed recordkeeping and documentation of cybersecurity policies, procedures, and incidents. This will necessitate efficient management systems to ensure compliance and facilitate regulatory inspections or audits.


Implementing the Rules and Ongoing Maintenance

You will have to bear the cost of developing, implementing, and maintaining an enhanced cybersecurity infrastructure. This can be expensive, especially for smaller entities with limited resources.

Your costs may include new technology investments, hiring or training staff with cybersecurity expertise, and ongoing expenses to keep cybersecurity measures up-to-date against evolving threats.


Managing Complex Cybersecurity Requirements

The new cybersecurity rules ask organizations to put in place thorough and detailed plans for handling cyber threats. This includes checking for risks regularly, controlling who gets access to information, keeping data safe, and dealing with any cyber incidents that occur.


Integration with Existing Systems and Processes

Putting new cybersecurity policies into practice alongside current systems and processes without causing significant disruptions to day-to-day business will be a tough balancing act.

You need to strengthen your defenses against cyber threats while ensuring they don’t hamper workflows.


Third-party Service Provider Oversight

Ensuring that third-party service providers comply with the cybersecurity standards required by the new rules adds another layer of complexity.

You must conduct thorough due diligence and continuously monitor your service providers, which can be resource-intensive.


Regulatory Compliance and Reporting

The requirement to report significant cybersecurity incidents to the SEC introduces a need for robust detection and reporting mechanisms.

Preparing for and responding to regulatory scrutiny while managing potential reputational impacts in the event of a reported incident will pose a significant (and new) challenge.


Keeping Pace with Evolving Cyber Threats

Cyber threats are continually evolving, becoming more sophisticated over time. You must ensure that your cybersecurity measures are adaptive and can effectively counter new threats.

This will require ongoing vigilance, investment in new technologies, and continuous improvement of cybersecurity practices.


What Should You Do to Prepare for the Rules

Here are the key steps you should take to get ready, ensuring you meet the new requirements without disrupting your business. Let’s dive into how you can prepare effectively.


1. Conduct a Cyber Risk Assessment and Rank Your Risks

According to the draft rules, the starting point for crafting effective cybersecurity policies is to assess and comprehend the cyber risks your organization faces.

This step is critical in pinpointing and prioritizing potential threats. Although how often you’ll need to do these assessments is not yet specified, the proposed rules emphasize the need for regular reviews.


2. Create and Refresh Information Security Policies

The proposed rules highlight the importance of updating cybersecurity policies annually, a practice that’s likely to remain in the final regulations.

These rules clearly outline several key areas your policies should cover. While there’s a possibility that the specific requirements might evolve in the finalized rules, the topics listed in the draft are considered best practices.


3. Enhance Service Provider Oversight

You must take several steps regarding your service providers, including:

  • Listing those with access to sensitive data or systems
  • Evaluating vendors’ cybersecurity measures and resilience
  • Incorporating security provisions into agreements

Although the exact frequency of these evaluations remains to be clarified, the rules will mandate regular assessments.

Onboarding New Service Providers

You may also need to conduct thorough due diligence before onboarding new vendors, establish clear security requirements in contracts, and perform regular audits or reviews of existing service providers to ensure compliance with these standards.

This could also require vendors to demonstrate their cybersecurity preparedness through certifications or provide evidence of their incident response capabilities.

It’ll Take 2 Minutes to Get Started

And prepare your business for the new rules

Learn More


4. Assess Threat and Vulnerability Management

The emphasis on identifying, reducing, and fixing cybersecurity threats and vulnerabilities will almost certainly remain a cornerstone of the final rules.

It’s widely recommended that organizations work closely with their IT teams or an IT managed service provider to handle threat management and engage an independent third party, like a cybersecurity consultant, for vulnerability management.


5. Improve User Access Controls

Implementing strong controls over who can access what information is not just a critical aspect of the SEC’s proposed rules; it’s also the most effective way to reduce the risk of a cybersecurity breach.

Conducting a cyber risk assessment helps identify where your user access controls need enhancement. The sooner your IT team knows where improvements are needed, the better, as upgrading these controls can take time.


6. Develop an Incident Response Plan with Reporting Mechanisms

Crafting a robust plan to respond to security incidents, complete with clear internal reporting protocols, is a key theme of the proposed rules.

You will struggle to meet external reporting and disclosure obligations without a capable internal reporting system.

While details on reporting procedures might evolve in the final rules, it’s a safe bet that reporting requirements will be included, making the development of strong internal incident reporting practices to the Chief Compliance Officer (CCO) a critical first step.


7. Training and Awareness Programs

Implementing regular training sessions for all employees is a powerful strategy to reduce cybersecurity risks.

These sessions should cover recognizing phishing emails, the importance of using strong passwords, and the protocols for reporting suspicious activities. Awareness programs can reinforce this training through newsletters or workshops, ensuring that cybersecurity remains a forefront concern for everyone.

More articles you might like:


8. Cybersecurity Insurance

Evaluating and potentially enhancing your cybersecurity insurance coverage is crucial to mitigate the financial impacts of cyber incidents.

This step involves understanding the specific types of cyber risks your organization faces and ensuring your policy covers those risks


9. Legal and Regulatory Consultation

Engaging with legal and regulatory consultants who specialize in SEC regulations and cybersecurity is invaluable.

They can assist in interpreting how new regulations apply to your specific operations and guide you in implementing compliance strategies. For example, a consultant might help you draft or review your incident response plan to ensure it meets regulatory standards and provides practical steps for action.


10. Compliance and Audit Functions

Strengthening your compliance and audit functions is essential for continually assessing the effectiveness of your cybersecurity measures. This could involve conducting regular internal audits to test the security of your information systems and the adherence to your cybersecurity policies.

For example, you might establish a routine schedule for internal audits and use external auditors annually to ensure an unbiased review.

SECs Cybersecurity Rules for Investment Advisers


What Your Next Steps Should Be

The proposed rules will have a cost, administrative, and workflow impact on organizations. However, they effectively formalize what a responsible organization should do in today’s cybersecurity climate.

Threats from nation-state actors, corporate threats, and the prevalence of non-specific cybersecurity threats mean you should already have an effective cybersecurity and risk mitigation framework in place in your organization.

NENS brings a wealth of experience and expertise in cybersecurity, offering services that cover all aspects required by the new rules, including risk assessments, policy development, incident response planning, and more.

Trusted Cybersecurity Services Near You

Boston Manchester
New Hampshire

From deploying streamlined cybersecurity to helping you identify cost-effective cyber insurance, our consultants can guide you every step of the way. Talk to us about your security needs and learn how we can bolster your defenses without burdening your workflows.