By Marianne Bailey, Alma Angotti
Cyberattacks and data breaches have increased in frequency and sophistication over the past few years. They will continue to occur due to geopolitical tensions; the continued evolution of and expanded use of new technologies; increasingly complex business ecosystems; and other factors. Attacks and breaches are impacting every industry, including financial services. Investment advisors and funds must adequately prepare to protect against and respond to these threats.
On February 9, 2022, the US Securities and Exchange Commission (SEC) voted 3-1 to propose new rules under the Investment Advisors Act of 1940 and the Investment Company Act of 1940 related to cybersecurity risk management, reporting of breach events, and recordkeeping for registered investment advisors and investment funds.1
If adopted, the proposal would require investment advisers and funds to adopt and implement written cybersecurity policies and procedures reasonably designed to address the cybersecurity risks relevant to their specific businesses, which could impact their clients and investors. Perhaps more notable, the proposal also mandates that advisers report certain cybersecurity events to the SEC on a newly created - and confidential—l - form. This detailed information would only go to the SEC and not be shared with clients or the public. However, the proposal does require that advisers and funds disclose both cybersecurity risks and significant cybersecurity events that occurred during the prior two fiscal years in their Form ADV brochures and registration statements. Finally, the rule proposal adds additional recordkeeping requirements related to cybersecurity, which, according to the SEC, is intended to assist the Commission's examination and enforcement capabilities.
The common characteristics of organizations that are victims of a data breach include:
Develop a cybersecurity strategy
Adopt and implement written cybersecurity policies and procedures - that are reasonably designed to address the cybersecurity risks relevant to your specific businesses, which could impact your clients and investors. Review them on an annual basis
Report certain cybersecurity events (per the SEC ruling) to the Commission on a newly created - and confidential – form. Disclose both cybersecurity risks and significant cybersecurity events that occurred during the prior two fiscal years in your Form ADV brochures and registration statements.
Revise recordkeeping practices to include maintaining: