Navigating the Impact of the New SEC Cybersecurity Rules on Alternative Investment Advisers
By Zachary Bird, CPA, Senior Manager, Alternative Investment Group
In today’s rapidly evolving digital landscape, cybersecurity has become a critical concern for businesses across all industries. Recognizing the need for increased transparency and accountability, the U.S. Securities and Exchange Commission (the “SEC” or “Commission”) has issued a new pronouncement1 that outlines cybersecurity requirements for all registrants, which includes registered investment companies and registered investment advisers (“RIAs” or “advisers”). Implementation of this new SEC pronouncement is of critical importance as it will help advisers safeguard their (and their investors’) sensitive data and protect against cyber threats. By embracing these requirements, companies can enhance their cybersecurity posture, build trust with investors, and mitigate potential financial, operational, and reputational risks.
Before diving into the rule, it is essential to understand the current environment and potential cyber threats that may affect your investment advisory firm and clients. Firstly, an ever-increasing share of economic activity is dependent on electronic systems, and disruptions to those systems can significantly impact operations and, in the case of large-scale attacks, systemic effects on the economy as a whole. There has been a substantial increase in cybersecurity incidents, propelled by several factors: an increase in remote work as a result of COVID, reliance on third-party service providers for technology services, and the rapid monetization of cyberattacks facilitated by ransomware, stolen data black markets, and crypto-asset technology such as blockchain and digital assets. The significant costs and negative consequences of a cybersecurity incident to companies have substantially increased. Some costs associated with these incidents include business interruption, lost revenue, ransom payments, remediation costs, liabilities to affected parties, cybersecurity protection costs, lost assets, litigation risks, and reputational damage.
Overview of the SEC Cybersecurity Rules
On July 26, 2023, the SEC implemented new cybersecurity risk management, strategy, governance, and incident disclosure rules. The new SEC cybersecurity rules were introduced to address the growing threat of cyber-attacks and enhance investor protection. These rules require registrants to adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks, disclose information about cybersecurity risks and incidents, report information confidentially to the SEC about certain cybersecurity incidents, and maintain related records.
The new rules also include updates to adviser and RIC disclosure requirements to provide current and prospective advisory clients and investors with improved information regarding cybersecurity risks and cybersecurity incidents. In addition, it requires advisers to report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the Commission on a confidential basis. Additionally, the new rules require advisers to broaden the scope of information covered by amending requirements for safeguarding customer records and information and properly disposing of consumer report information.
Considerations for Registered Investment Advisers
RIAs must disclose to the SEC and investors material cybersecurity incidents that occurred within the past year. This includes incidents with potential financial, operational, or reputational impacts. Advisers should establish robust incident response plans and ensure accurate and timely incident reporting.
Advisers are expected to assess the materiality of cybersecurity risks and incidents based on quantitative and qualitative factors. This assessment should consider potential harm to operations, reputation, and financial condition. Advisers should evaluate the materiality of cybersecurity risks specific to their industry and tailor their risk management strategies accordingly.
Enhanced Due Diligence
The new SEC cybersecurity rules require advisers to conduct thorough due diligence on potential investments. They should assess the cybersecurity risk management practices of target companies and consider the potential financial and reputational impacts of cybersecurity incidents.
Investors in the alternative investment industry are increasingly concerned about cybersecurity risks. With the new SEC rules in place, they expect greater transparency and disclosure from alternative investment advisers regarding their cybersecurity practices. Advisers should proactively communicate their risk management strategies to reassure investors.
Investment Advisers must ensure compliance with the new SEC rules to avoid regulatory scrutiny and potential penalties. They should establish robust cybersecurity risk management programs, enhance management oversight, and develop effective incident response plans.
Collaboration with Service Providers
Advisers often rely on external service providers for cybersecurity expertise and support. The new SEC rules emphasize the need for collaboration with these providers to ensure effective risk management, incident response, and compliance. Advisers should establish strong partnerships with service providers experienced in the alternative investment industry.
Some of the typical service providers used are a prime broker, asset custodian, third-party administrator, valuation or pricing vendor, and compliance or outsourced IT provider. Advisers should thoroughly evaluate a service provider’s cybersecurity measures and protocols when deciding who to work with. This involves reviewing their cybersecurity policies, procedures, and practices to ensure they align with industry best practices. Key areas to assess include data encryption, access controls, employee training, vulnerability management, and third-party risk management. Additionally, advisers should inquire about the provider’s incident response plan. Understanding how the provider handles and responds to cybersecurity incidents is vital. Questions to ask may include their incident detection and reporting processes, incident response team composition, and communication protocols during an incident.
Another consideration is to review the coverage provided by your cyber insurance policy in the event of a breach at a service provider. Advisers should carefully examine the policy’s terms and conditions to determine if breaches occurring at a provider are covered. This may involve analyzing the policy’s definitions, exclusions, and limitations related to breaches at third-party vendors. Consulting with the insurance provider or a legal expert may be beneficial to fully understand the coverage.
Best Practices for Effective Risk Management in the Alternative Investment Industry
Establish a Cybersecurity Governance Framework
Investment Advisers should develop and implement a robust cybersecurity governance framework that aligns with industry best practices. This framework should include clear roles and responsibilities, regular board oversight, and ongoing risk assessments.
Conduct Regular Cybersecurity Risk Assessments
Advisers should conduct regular cybersecurity risk assessments to identify vulnerabilities and potential threats. These assessments should be comprehensive, covering all aspects of the alternative investment business, including third-party service providers.
Below are a few examples of ways in which advisers can perform these assessments to fortify the overall cybersecurity environment:
- Conduct vulnerability assessments to identify weaknesses and vulnerabilities in the investment adviser’s systems and infrastructure. This can involve network scanning, penetration testing, and vulnerability scanning tools.
- Review the effectiveness of existing security controls and measures, such as firewalls, antivirus software, access controls, and encryption. Determine if they are sufficient to mitigate identified risks.
- Evaluate security policies and procedures to ensure they are up-to-date, comprehensive, and aligned with industry best practices. This includes policies for data protection, access control, incident response, and employee training.
- Assess the cybersecurity risks associated with third-party vendors and service providers that the investment adviser relies on. This includes reviewing their security practices, incident response plans, and data protection measures.
- Provide cybersecurity awareness training to all employees to ensure they know best practices and the potential threats. This includes training on password management, phishing awareness, and safe browsing habits.
- Evaluate the incident response plan to ensure it is comprehensive, up-to-date, and regularly tested. This includes procedures for detecting, responding to, and recovering from cybersecurity incidents.
Obtain Cybersecurity Insurance
For investment advisers, acquiring a comprehensive cybersecurity insurance policy is crucial to mitigate the risks and potential financial damages from cyber-attacks. Typically, cybersecurity insurance policies cover a range of expenses and liabilities, including data breach response, legal defense costs, regulatory fines and penalties, and potential liability for failing to adequately protect sensitive data. Some policies may also offer additional coverage for business interruption losses, reputational damage, and cyber extortion incidents. When selecting an insurance policy, advisers should pay attention to certain specific details. These include the policy’s scope of coverage, exclusions, deductibles, and limits. It is important to understand what types of incidents and losses are covered, as well as any specific exclusions or limitations that may apply.
Implementing the new cybersecurity rules announced by the SEC is paramount for companies operating in today’s digital landscape. These rules not only enhance transparency and accountability but also provide a framework for advisers to safeguard their sensitive data and protect against cyber threats. By embracing these rules, advisers can establish robust cybersecurity risk management programs, enhance management oversight and governance, and improve incident response and reporting capabilities. Compliance with regulatory standards is crucial to avoid scrutiny and penalties and to maintain the trust of investors and stakeholders. Furthermore, effective implementation of the rules helps companies mitigate potential financial, operational, and reputational risks associated with cybersecurity incidents. By implementing the rules in a timely manner, you will be positioned as a leader in the industry, demonstrating your commitment to cybersecurity best practices. This sends a strong message to clients, investors, and partners about the company’s dedication to protecting sensitive data and maintaining the integrity of its operations. Ultimately, implementing the new SEC cybersecurity rules will contribute to a more secure and resilient business environment, instilling confidence in investors, clients, and stakeholders alike.
- The technical information relating to the new SEC rules cited in this article was sourced from the U.S. Securities and Exchange Commission’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.