This is part of our blog series on the SEC's Proposed Cybersecurity Rule for RIAs, titled "Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies"

You can download our ebook on the rule at https://ria.tips/ebook.

Today we are going to take a look at the first of the three main elements of the rule, the written cybersecurity program.

The rule requires firms to “adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks."

The SEC means for the rule to allow “advisers and funds the flexibility to address the general elements based on the particular cybersecurity risks posed by each adviser’s or fund’s operations and business practices,” and, “this approach would allow an adviser’s or fund’s cybersecurity policies and procedures to evolve accordingly as firms reassess their cybersecurity risks,” as cybersecurity risks evolve.

What the SEC calls “general elements” are a cross between a descriptive and prescriptive set of best practices, policies and procedures, and technical controls. The rule has been criticized both for being too vague and too specific, sometimes by the same commentors.

Our view is both simpler and more wholistic: the enumerated elements of the rule are all part of any good cybersecurity program. Assuming good faith enforcement on the part of the SEC, most well-designed programs will be compliant on their own.

The Elements of the Cybersecurity Program

Here we will briefly go over each element of the rule but we will not prescribe technical solutions. Later in the book we will describe the technical controls that are typically used to address each of these.

1. Risk Assessments

To assess and understand risks is at the core of a risk assessment. If you can map out your business processes, where your data is, and core technical components and vendors of your business, you can conduct a risk assessment.

This isn’t for the geeks.

While you can’t complete this without your IT department, it isn’t for them. “[The] risk assessment should inform senior officers at the adviser or the fund of the risks specific to the firm and support responses to cybersecurity risks…”

You can ask, “if this system were interrupted or accessed, would it disrupt operations or expose confidential information?”

Examples:

  • Lost or stolen laptops with confidential information
  • Insider threats, such as disgruntled employees
  • Remote employees
  • Most or all computers rendered in-operable due to ransomware
  • Internal systems (such as servers) or external systems (such as CRMs or portfolio managers) exposed due to re-used or weak passwords
  • Service providers who have access to confidential information

Vendor risks are specifically called out in the rule. The question itself is pretty simple, if a cyber incident disrupted one of your providers, or resulted in the exposure of confidential information they had access to, would it disrupt your firm’s operations or expose your or your clients’ information?

After listing risks, they need to be prioritized, typically by severity (how bad is this?) and probability (how likely is this?).

For most RIAs this should not be an intimidating exercise: every competent adviser analyzes, prioritizes and mitigates risks every day for their clients.

This is just in a different arena, but the principles are the same.

2. User Security Controls

These are the policies and procedures that mitigate risk at the user level. They include:

  • Required standards of behavior for users, such as acceptable use policies. (Are employees allowed to or access TikTok on their work phones?)
  • Identify and require user authentication: Make sure that people with access to information have correct credentials, and that such credentialing is secure (such as two-factor or multi-factor authentication).
  • SOPs for passwords and other forms of authentication.
  • Restrict access to information to those that need access. The “need to know” principle.
  • Require remote access to systems to be secure.

3. Information Protection

This portion, “require[s] advisers and funds to monitor information systems and protect information from unauthorized access or use…”

This includes things such as data encryption, log monitoring, identifying anomalous activity (unusual logins or data access), actively blocking exfiltration of sensitive data (such as blocking emails with social security numbers), testing systems and penetration tests.

This is an area where advisers are more likely to be weak than user access controls. Specifically, continuous monitoring is still uncommon and very few penetration tests are useful. (They often produce pages of irrelevant information, and completely ignore data in the cloud, or mobile devices).

This is also where vendor due diligence comes in. Firms will be required to have written contracts with service providers that require providers to implement and maintain cybersecurity programs that are similar to those of the advisers. More simply: your vendors need to protect their systems as well as you need protect your own, and they need to commit to it in writing.

RIAs should also have oversight measures that might include contract reviews, asking for copies of the provider’s policies and procedures, or third-party validation of the provider’s security (such as SOC2 certification). And you must document all of this.

4. Threat and Vulnerability Management

This is where firms prevent attacks: you must detect, mitigate, and remediate cybersecurity threats and vulnerabilities.

Examples include:

  • Employee training
  • Regular security assessments
  • Regular software updates
  • Monitoring for software that needs to be updated
  • Risk management processes
  • Monitoring industry and government news sources for new or emerging threats
  • Replacing systems before software vendors stop providing security updates

After vulnerabilities are found, they must be mitigated. Note, mitigation is not always elimination. If Microsoft has a security vulnerability that needs Microsoft to fix it, you can’t eliminate it, but you might be able to train around it, or add additional security software until Microsoft issues a patch.

Vulnerability mitigation should also be prioritized; some are more likely to be exploited by attackers than others, and some will have greater impact than others.

5. Cybersecurity Incident and Response Recovery

This portion of the rule requires that firms can detect, respond to and recover from a cybersecurity incident. This is often a weak area: very few firms have appropriate plans. They often boil down to, (a) call IT, (b) restore from backups, and (c) file an insurance claim.

Executives must be involved.

“[A]n incident Response plan should generally have a clear escalation protocol to ensure that an adviser’s and fund’s senior officers, including appropriate legal and compliance personnel… receive necessary information regarding cybersecurity incidents on a timely
basis.” (Page 31)

The SEC expects policies and procedures that cover five major areas:

  • Continued operations
  • Protection of adviser systems and information
  • Cybersecurity incident information sharing
  • Reporting to the SEC (this is covered in detail in the next chapter)
  • Documentation of the incident, along with your response and recovery from it.

This section of the rule is not clearly defined and will have to rely on cybersecurity industry standards to make sense as a whole. Let’s break out what an incident response plan (IRP) might look like for your firm:

1. Who: Who is on your response team? This should include at least one senior officer, and typically includes representatives from IT/cybersecurity, legal, compliance, operations and marketing. There are specific roles that need to be filled, including overall team coordination, communications (often where marketing comes in), and compliance review.

2. Detect: How do you know an attack is underway? This will have overlap with the previous three areas. It isn’t enough just to have tools that prevent an attack, you need to know when they didn’t stop an attack.

3. Classify: You should have objective criteria defined to classify the category of incidents and their severity. For example, operational disruptions and unauthorized data access.

This is both practical and protective: we expect that in the event of an incident and a follow-up SEC audit, clear and documented criteria will go a long way to showing your firm had a thorough and reasonable response.

6. Reviews

Under the rule, you must review the effectiveness of your policies and procedures not less than annually, and more often if appropriate. The SEC makes it clear that this will often – maybe even usually – be more than annually

Firms should re-assess their program to, “[new] cybersecurity risks as they arise, to reflect internal changes, such as changes to its business, online presence, or client web access, or external changes, such as changes in the evolving technology and cybersecurity threat landscape.”

Like most other areas of this rule, senior officers must be informed of material changes to the risk assessment.