This is part of our blog series on the SEC's Proposed Cybersecurity Rule for RIAs, titled "Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies"

You can download our ebook on the rule at https://ria.tips/ebook.

In 2022 the SEC proposed new regulations to protect the financial and investment sector from cybersecurity risks. The rules are meant to clarify existing regulations but also contain ground-shaking changes for SEC Registered Investment Advisors.

Currently, advisors are expected to implement cybersecurity rules under existing regulation. However, no regulations explicitly state how RIAs are to implement comprehensive cybersecurity programs. The result is greater cybersecurity risk, and regulatory risks for advisors due to the lack of clarity.

What Is The Proposed Cybersecurity Rule for RIAs?

This is a new comprehensive rule to regulate cybersecurity for advisors backed up by existing rules and regulations already in place.

The SEC proposed a new set of regulations 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act, it stipulates investment companies registered with the commission implement specific rules concerning cybersecurity that address several critical elements.

The New Rule:

  • Requires RIAs to have written cybersecurity policies and procedures to be formulated based on their business operations.
  • Stipulates annual reviews of the policies and procedures and regular updates to meet the ever-changing cyber threats.
  • Requires financial and investment companies to anticipate advanced threats and protect critical client data from harm or loss.
  • Propose amendments to disclose security incidents to the SEC, clients and prospective clients.

The requirements cascade down to RIA service providers. This includes custodians, broker dealers, trading platforms, CRMs, file sharing, and other technology vendors.

Why Does it Matter as a Proposed Rule?

The SEC goes out of their way to explain they already have the authority to enforce most of the regulations in the proposed rule, because advisors are required to be fiduciaries.

The Compliance Requirements for Advisors

The SEC’s new recommendations require advisors to maintain information security-related requirements.

This includes

  • Well-documented Policies: Document cybersecurity policies and procedures that address operational risks that can harm clients and lead to unauthorized access to information systems.
  • Regular Reviews: The constantly changing nature of cybersecurity and the different requirements of firms require regular reviews – at least annually – and more often as the environment requires.
  • Oversight Procedures: Advisors must have effective oversight and technical controls to ensure that policies and procedures are followed.
  • Effective Cybersecurity Management: Advisors may appoint third-party cybersecurity experts to manage cyber risks and assist in building a robust cybersecurity program. The SEC expects that smaller advisers will need to outsource cybersecurity. Large firms may be able to address requirements in-house.

We will look at each area in more detail in upcoming posts.