Though the SEC has proposed requiring cybersecurity policies and procedures for investment advisers for the first time, it has also provided firms flexibility in addressing the general elements to be covered.
“We recognize that there is not a one-size-fits-all approach to addressing cybersecurity risks. As a result, the proposed cybersecurity risk management rules would allow firms to tailor their cybersecurity policies and procedures to fit the nature and scope of their business and address their individual cybersecurity risks,” the SEC wrote in recently proposed cybersecurity risk management rules. Advisers and funds would also have to report any significant cybersecurity incidents to the SEC on a new confidential form.
General elements of cybersecurity policies and procedures
The proposed cybersecurity rules would require advisers and funds to address five general elements when adopting, implementing, reassessing, and updating their cybersecurity policies and procedures.
Firms would have to periodically assess, categorize, prioritize, and draft written documentation of the cybersecurity risks associated with their information systems and the information they contain. “Generally, this risk assessment should inform senior officers at the adviser or the fund of the risks specific to the firm and support responses to cybersecurity risks by identifying cybersecurity threats to information systems that, if compromised, could result in significant cybersecurity incidents,” the proposed rules state.
User security and access
Advisers and funds would also need to address user access controls to restrict system and data access to authorized users in their cybersecurity programs. Such controls are crucial for preventing and detecting unauthorized access to systems or client data or investor information, especially as remote access and teleworking have become increasingly common, the SEC explains. “We believe that having such measures is a necessary component of robust and comprehensive cybersecurity policies and procedures,” it states in the proposed rules.
Cybersecurity policies and procedures for investment advisers and funds should also include monitoring information systems and protecting information from unauthorized access or use by periodically assessing their information systems and the information that resides therein, according to the SEC. Firms should then use the information obtained from assessments to determine what methods to implement to prevent the unauthorized access or use of such data.
Threat and vulnerability management
Firms should also adopt policies and procedures that establish accountability for handling vulnerability reports, and processes for intake, assignment, escalation, remediation, and remediation testing, the SEC says. According to the proposed rules, “Detecting, mitigating, and remediating threats and vulnerabilities is essential to preventing cyber incidents before they occur. Advisers and funds generally should seek to detect cybersecurity threats and vulnerabilities through ongoing monitoring (e.g., comprehensive examinations and risk management processes).”
Cybersecurity incident response and recovery
The proposed cybersecurity risk management rules for investment advisers and funds would require firms to include measures to detect, respond to, and recover from a cybersecurity incident in their policies and procedures as well. Firms would also have to prepare written documentation of any cybersecurity incident, including their response and recovery. Having such policies and procedures for responding to cybersecurity incidents can help mitigate “significant business disruptions,” the SEC says.
The SEC has requested comment on whether the proposed elements of the cybersecurity policies and procedures for investment advisers and funds are appropriate, and whether any of the elements should be modified or deleted.
Requiring such policies and procedures is part of a broader tightening of the SEC’s cybersecurity policy. Cybersecurity risks threaten the operations of securities markets and could undermine investor confidence, the regulator has warned.
“The SEC recognizes the severity of cybersecurity risk and wants firms to improve their cyber controls. By going beyond providing best practices and taking the next step of creating flexible rules, the SEC can enhance market integrity and investor protection while giving firms the ability to address firm-specific issues. Requiring the establishment of policies and procedures at firms that do not have any while strengthening the cybersecurity programs that do exist will help the SEC achieve its goal,” said Adam Schaub, vice president, platform product management for RegEd.
RegEd’s Policies and Procedures Management solution assists firms with compliance by ensuring that critical compliance information is synchronized with current rules and regulations. It also streamlines preparedness for regulatory audits and market conduct exams with strong documentation and detailed evidence of compliance. Schedule a consultation to learn more about how RegEd’s compliance solutions enable investment advisers to improve efficiency, effectiveness, and transparency across the enterprise.
RegEd is the market-leading provider of RegTech enterprise solutions with relationships with more than 200 enterprise clients, including 80% of the top 25 financial services firms.
Established in 2000 by former regulators, the company is recognized for continuous regulatory technology innovation with solutions hallmarked by workflow-directed processes, data integration, regulatory intelligence, automated validations, business process automation and compliance dashboards. The aggregate drives the highest levels of operational efficiency and enables our clients to cost-effectively comply with regulations and continuously mitigate risk.
Trusted by the nation’s top financial services firms, RegEd’s proven, holistic approach to RegTech meets firms where they are on the compliance and risk management continuum, scaling as their needs evolve and amplifying the value proposition delivered to clients. For more information, please visit www.reged.com.