By Sid Yenamandra
There’s no question that cybersecurity is fast-moving space in general, and that certainly applies to the wealth management space.
But at this point, we’ve all had more than a month to digest the latest SEC rules on cybersecurity risk management, which means there is increasingly no excuse for wealth management firms to be actively preparing for the regulatory new normal in this regard.
First, let’s recap the basic background: On Feb 9, 2022, The Securities and Exchange Commission (SEC) voted to propose new cybersecurity risk management rules for registered investment advisers, investment companies and business development companies (funds), as well as amending existing cyber rules that govern investment advisers and fund disclosures. This is not a surprise given recent high-profile cyberattacks and it presents an opportunity for wealth management firms and asset managers to lead on the issue.
According to a 2021 report, there was a 62% increase in ransomware since 2019. Ransomware criminals attack weaknesses in systems to steal data, often holding it hostage and demanding millions of dollars in payment. And it’s only expected to get worse in the coming years as these attacks become more complex and harder to detect
In this dangerous environment, the SEC has understandably taken a hard look at how to sharpen the rules governing cybersecurity across the wealth management industry.
SEC Proposed Cybersecurity Rules
Anytime the SEC proposes potentially wide-ranging rules, there is a natural trepidation across the wealth management space.
In this instance, however, it’s worth taking a breath and cutting through the typically dense regulatory verbiage and distilling the proposed rules down to their key relevant essentials for wealth management, which are as follows:
- Advisers and funds to adopt and implement cybersecurity policies and procedures designed to address cybersecurity risks that could harm advisory clients and fund investors
- Advisers to report significant cybersecurity incidents affecting the adviser or its fund or private fund clients
- Advisers and funds to publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in their brochures and registration statements.
- New record keeping requirements for advisers and funds designed to improve the availability of cybersecurity-related information and help facilitate the SEC’s inspection and enforcement capabilities
Start Preparing Now
As with all proposed SEC rules, these will not be effective immediately. The public comment period will remain open for 60 days following the publication of the proposing release on the SEC’s website or 30 days following the publication of the proposing release in the Federal Register, whichever period is longer.
There’s a window of time for wealth management firms to act now to bring their cybersecurity practices and resources into regulatory compliance.
This can also be an opportunity for firms to illustrate their commitment to protecting data privacy to their financial advisors and clients. There are several areas where firms may want to focus on in advance of final codification of the SEC proposal, including:
- Building a comprehensive cybersecurity policy for firms per industry standards such as NIST 800-53
- Ensuring there is a system to continuously monitor cybersecurity risks across devices, users, networks and vendors, and ensure all systems match the policy of record
- Developing an incident response log and playbook
- Enabling incident logs, cybersecurity policies, revisions and cybersecurity monitoring reports to be archived as part of 17a-4 storage systems
No Need to Go It Alone
While there are many solution providers out there who can help firms bring order to the swirling cyber chaos, it’s important to identify the right partner who will be able to quickly fill any gaps in existing cybersecurity policies, procedures and systems.
Put bluntly, cybersecurity is an area where regulators, the wealth management industry and vendors are all on the same page, working together to protect the investing public.
To avoid the reputational risk that comes with a successful cyberattack, wealth management firms need to implement vigorous systems and protections as rapidly as possible.
Indeed, there are no excuses in an increasingly unforgiving cybersecurity landscape characterized by rising regulatory expectations to do anything less.