The SEC Cybersecurity Rule for RIAs: Definitions

This is part of our blog series on the SEC's Proposed Cybersecurity Rule for RIAs, titled "Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies"

You can download our ebook on the rule at https://ria.tips/ebook.

This post is taken verbatim from the SEC's proposed cybersecurity rule.

APPENDIX B: FORM ADV GLOSSARY OF TERMS

Adviser information means any electronic information related to the adviser’s business, including personal information, received, maintained, created, or processed by the adviser.

Adviser information systems means the adviser information resources owned or used by the adviser, including physical or virtual infrastructure controlled by such information resources or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of adviser information to maintain or support the adviser’s operations.

Cybersecurity incident means an unauthorized occurrence on or conducted through an adviser’s information systems that jeopardizes the confidentiality, integrity, or availability of an adviser’s information systems or any adviser information residing therein.

Cybersecurity risk means financial, operational, legal, reputational, and other consequences that could result from cybersecurity incidents, threats, and vulnerabilities.

Cybersecurity threat means any potential occurrence that may result in an unauthorized effort to adversely affect the confidentiality, integrity, or availability of an adviser’s information systems or any adviser information residing therein.

Cybersecurity vulnerability means a vulnerability in an adviser’s information systems, information system security procedures, or internal controls, including vulnerabilities in their design, configuration, maintenance, or implementation that, if exploited, could result in a cybersecurity incident.

Personal information means: (1) Any information that can be used, alone or in conjunction with any other information, to identify an individual, such as name, date of birth, place of birth, telephone number, street address, mother’s maiden name, Social Security number, driver’s license number, electronic mail address, account number, account password, biometric records or other nonpublic authentication information; or (2) Any other non-public information regarding a client’s account.