This is part of our blog series on the SEC's Proposed Cybersecurity Rule for RIAs, titled "Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies"

You can download our ebook on the rule at https://ria.tips/ebook.

If the rule is only proposed, why does that matter to you as an advisor?

The SEC goes out of their way to explain they already have the authority to enforce most of the regulations in the proposed rule, because advisers are required to be fiduciaries.

[F]iduciary obligation includes taking steps to minimize cybersecurity risks that could lead to significant business interruption, disruptions, or a loss or misuse of client data.

RIAs act as clients’ fiduciaries and are expected to always act in the client’s interest.

This means they must:

  • Protect client information from threats, hazards, unauthorized access, or criminal use of client records.
  • Take adequate steps to prevent business disruptions.
  • Formulate cybersecurity policies in accordance with the Investment Advisers Act, among other regulations cited above.
  • Detect and identify red flags and respond to threats, and mitigate identity theft.
  • Train staff adequately to handle cybersecurity risks and report abnormal behavior that could lead to the exploitation of vulnerabilities.

The SEC cites multiple laws and regulations to back up its existing authority to enforce rule contents. A small sample of references include:

  • 17 CFR 275.206(4)-7 (“Advisers Act compliance rule”)
  • Investment Advisers Act Release No. 2204 (Dec. 17, 2003) [68 FR 74714 (Dec. 24, 2003)]
  • Compliance Programs of Investment Companies and Investment Advisers, Investment Advisers Act Release No. 2204 (Dec. 17, 2003) [68 FR 74714 (Dec. 24, 2003)]
  • 17 CFR 270.38a-1 (“Investment Company compliance rule”)
  • 17 CFR 248.1 through 248.31 (“Regulation S-P”)
  • 17 CFR 248.201 through 202 (“Regulation S-ID”)

In case you think that those regulations are not specific to cybersecurity, the SEC agrees, and explains that they still are relevant:

While the Advisers Act compliance rule does not enumerate specific elements… an adviser generally should first identify… factors creating risk exposure for the firm and its clients… Because cybersecurity incidents could create significant operational disruptions and losses to clients and investors, we understand that advisers often consider the cybersecurity risks… when developing their compliance policies and procedures under the Advisers Act compliance rule and tailor their policies and procedures to address those risks.

Similar statements are made in regard to regulations S-P and S-ID.

The implication is that the SEC will interpret existing regulations through the lens of the proposed rule. In other words, the SEC believes advisers should already have these cybersecurity items in place.