Cyberattacks and data breaches have increased in frequency and sophistication over the past few years. They will continue to occur due to geopolitical tensions; the continued evolution of and expanded use of new technologies; increasingly complex business ecosystems; and other factors. Attacks and breaches are impacting every industry, including financial services. Investment advisors and funds must adequately prepare to protect against and respond to these threats.
On February 9, 2022, the US Securities and Exchange Commission (SEC) voted 3-1 to propose new rules under the Investment Advisors Act of 1940 and the Investment Company Act of 1940 related to cybersecurity risk management, reporting of breach events, and recordkeeping for registered investment advisors and investment funds.1
If adopted, the proposal would require investment advisers and funds to adopt and implement written cybersecurity policies and procedures reasonably designed to address the cybersecurity risks relevant to their specific businesses, which could impact their clients and investors. Perhaps more notable, the proposal also mandates that advisers report certain cybersecurity events to the SEC on a newly created - and confidential—l - form. This detailed information would only go to the SEC and not be shared with clients or the public. However, the proposal does require that advisers and funds disclose both cybersecurity risks and significant cybersecurity events that occurred during the prior two fiscal years in their Form ADV brochures and registration statements. Finally, the rule proposal adds additional recordkeeping requirements related to cybersecurity, which, according to the SEC, is intended to assist the Commission's examination and enforcement capabilities.
The common characteristics of organizations that are victims of a data breach include:
Lack of a cybersecurity strategy – a cybersecurity strategy articulates how an organization intends to use its resources, personnel, and tools to improve its cybersecurity posture. A strategy also addresses what organizations will do and not do and serves to align cybersecurity projects to the business mission.
Lack of basic cyber hygiene practices – Organizations should have an on-going security awareness and training program focused on creating a cyber conscious culture to protect against phishing and ransomware attacks; as well as implementing vulnerability management, patch management, identity and access management, least privilege, configuration management, data encryption, email filtering, and third party/supply chain risk management.
Insufficient governance – Cyber risks are tracked by the Information Technology department and senior leadership lacks adequate visibility to manage the impact of cyber risks to the overall business mission.
Regulatory compliance alone doesn’t guarantee protection – Many organizations meet compliance obligations and are still victims of data breaches.
Actions You Should Take
Develop a cybersecurity strategy
Conduct a security risk assessment
Set your security goals
Evaluate your organization’s information technology (IT)
Select a security framework (ISO 27001 is a worldwide tailorable standard)
Review organization’s security policies
Create a risk management plan
Implement your security strategy
Evaluate your security strategy at least annual or when there are changes to your IT environment, changes to your business mission and objectives, and/or changes t in local and global cyber threats
Adopt and implement written cybersecurity policies and procedures - that are reasonably designed to address the cybersecurity risks relevant to your specific businesses, which could impact your clients and investors. Review them on an annual basis
Report certain cybersecurity events (per the SEC ruling) to the Commission on a newly created - and confidential – form. Disclose both cybersecurity risks and significant cybersecurity events that occurred during the prior two fiscal years in your Form ADV brochures and registration statements.
Revise recordkeeping practices to include maintaining:
A copy of your cybersecurity policies and procedures formulated pursuant to proposed rule 206(4)-9 that are in effect, or at any time within the past five years were in effect;
A copy of your written report documenting the annual review of your cybersecurity policies and procedures pursuant to proposed rule 206(4)-9 in the last five years;
A copy of any Form ADV-C filed under rule 204-6 in the last five years;
Records documenting the occurrence of any cybersecurity incident, including any records related to any response and recovery from such an incident, in the last five years; and
Records documenting your cybersecurity risk assessment in the last five years.
1In this context, the SEC uses the term “fund” to mean a registered investment company or a closed-end investment company that has elected for treatment as a business development company under the Investment Company Act.