This is part of our blog series on the SEC's Proposed Cybersecurity Rule for RIAs, titled "Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies"

You can download our ebook on the rule at https://ria.tips/ebook.

The SEC is proposed cybersecurity rule for RIAs contain several elements, but the disclosures are the most controversial by far. They introduce new forms, new questions on existing forms, new public facing disclosures and tight deadlines. In addition, the forms are not harmonized with similar forms from other agencies.

As you read through this post, think through the implications of your risk assessment, and especially how you might classify different risks and incidents. In the event of an incident, we strongly believe that your clearly defined levels of risks and definitions are critical in your decision-making process around disclosures. If at all possible, you do not want to be making decisions around substantiality, materiality or “reasonable basis” in the middle of or after an event.

New Form ADV C[yber]

The new form for registered investment advisors under the SEC cybersecurity rule is titled form ADV-C, which we've been told stands for cyber (who says the SEC doesn't have a sense of humor?). The poor definitions around this form we'll make it unwieldy to implement initially.

Under the rule advisers have 48 hours to file a Form ADV after they come to believe that they were or are currently under attack.

The SEC:

In other words, an adviser must report within 48 hours after having a reasonable basis to conclude that an incident has occurred or is occurring, and not after definitively concluding that an incident has occurred or is occurring.

48 hours is not a lot of time, and reasonable basis is never defined. Moreover, at CyberSecureRIA we don't believe there is enough existing precedent to cover what “reasonable” means with respect to cyber security attacks for there to be precedence to look to.

While the cybersecurity rule is built on fiduciary duty as a whole, the justification for this form comes down to the SEC's mandate to ensure market stability. (“Maintaining Fair, Orderly, and Efficient Markets”) The SEC's belief, as stated in the rule, is that notifications on cybersecurity incidents will give them a level of visibility into cyber incidents that may affect the RIA industry or the markets more broadly and allow them to coordinate with other federal agencies.

SEC staff have said that this form is for those coordination purposes and not for enforcement purposes.

We believe -- and every other cybersecurity professional we've spoken to about this – that 48 hours is not enough time to have enough information about an event to be able to report quality and accurate information to the SEC. It's possible that this deadline will be relaxed a little, in the public company cyber security rule finalized in 2023 the corresponding deadline was 96 hours. Still, not a lot of time.

The information to be filled in on the form is:

  • Basic contact information
  • Whether the cyber security incident is considered significant or not
  • The approximate date the incident occurred and the approximate date the incident was discovered
  • Whether the incident is ongoing or not
  • Whether law enforcement or another government agency has been notified about the incident
  • “[S]ubstantive information” about the nature and scope of the incident, including actions or planned actions taken to recover
  • Whether information was stolen, altered, or accessed or used for any unauthorized purpose
  • Whether or not the incident has been disclosed to clients
  • If the incident affected critical operations
  • What systems or services were affected if there is a disruption in critical operations
  • Whether the incident was the result of a cybersecurity incident at a service provider
  • If the incident did stem from a service provider, the services provided to the advisor by that service provider
  • Whether or not the cyber security incident is covered under an insurance policy

Download a sample of the new Form ADV-C here.

The SEC believes that this information would not have to be publicly disclosed, but that is a preliminary view and not set in stone.

Advisors will be required to file a new form ADV-C whenever there is a material change and the information from the previous filing, and when in the internal investigations are wrapped up.

If the final version of the rule does not walk back the requirements of Form ADV-C, then advisors should be prepared for these multiple filings. You will want to have a template ready to go to fill out the information, including the questionnaire to send to service providers who may be involved in the incident or involved in the response and recovery to it.

We also highly recommend that you have legal counsel well versed in cybersecurity incidents on retainer to look over these filings before they are sent to the Commission. During an incident it is easy to speak inaccurately and in ways that can cause you liability later. For instance, terms like hack, breach or data loss are all terms we would recommend you avoid until there is certainty about the incident.

Wherever possible, you would also like to shield communications about the incident in attorney-client privilege. Talk to your legal counsel about the best way to accomplish this.

 

Amendments to Form ADV Part 2A

The justification for amendments to an RIA's narrative brochure is to protect clients and prospective clients with information around cybersecurity risks, incidents and potential cybersecurity incidents that could “materially” affect your relationship with those clients.

The SEC:

We believe the proposed amendments would improve the ability of clients and prospective clients to evaluate and understand relevant cybersecurity risks and incidents that advisers face and their potential effect on the advisers’ services.

Although much later on in the rule they acknowledge that it is possible that most investors will not have the requisite cybersecurity knowledge for this information to inform their decisions. The SEC's defense is that third party is will still be able to discern the risk to an advisor and their readiness for it and provide public commentary or analysis.

What needs to go on the brochure? Again, the SEC:

Advisers would be required to, in plain English, describe cybersecurity risks that could materially affect the advisory services they offer and how they assess, prioritize, and address cybersecurity risks created by the nature and scope of their business. A cybersecurity risk, regardless of whether it has led to a significant cybersecurity incident, would be material to an adviser’s advisory relationship with its clients if there is a substantial likelihood that a reasonable client would consider the information important based on the total mix of facts and information.

In addition, you would be required to report and describe any cybersecurity incidents that occurred within the last two fiscal years that significantly disrupted or degraded your ability to maintain critical operations, or which led to unauthorized data access, which resulted in substantial harm to you or your clients.

So the narrative brochure needs to describe risks whether or not they led to incidents, but you only need to disclose incidents that resulted in substantial harm.

 

Interim Brochures

Finally, advisors would be required to deliver interim brochure amendments to clients if you add a disclosure of an incident to your narrative brochure, or materially revise information previously disclosed in your brochure about an incident.

In other words, if you had a new incident that resulted in substantial harm to you or your clients or had materially new information about a disclosure around a previous incident, you would have to distribute a brochure to your clients.

The SEC does not deliver a clear timeline here, stating” time is of the essence… the timing of the brochure amendment delivery should take into account the exigent nature of cyber security incidents which would generally militate [weigh heavily] towards swift delivery to clients.”

Vague definitions aside, this requirement is in line with state level regulations that require businesses to notify consumers if their data was accessed during a cyber security incident. You may already be under similar requirements and not know it.