In May 2024 the U.S. Securities and Exchange Commission (SEC) adopted amendments to its Regulation S-P, adding to the cyber security requirements for registered investment advisers (including registered investment companies and investment funds. The final SEC cyber risk management rules require advisers and funds to adopt and implement a program with written cybersecurity policies and procedures designed to address cybersecurity risks that could harm advisory clients and fund investors. New 2024 SEC rules also include new cyber-related reporting requirements. In this article we explain the core requirements and how organizations can streamline compliance.
Adopt Cyber Security Risk Management Policies
The proposed cybersecurity risk management rules would require advisers and funds to adopt and implement policies and procedures that are reasonably designed to address cybersecurity risks. (new rule 206(4)-9 under the Advisers Act and new rule 38a-2 under the Investment Company Act.) The key phrase is “reasonable”. The policies would need to address certain key control areas.
What is “Reasonable Security”?
According to the SEC Fact Sheet: “Reasonably designed cybersecurity policies and procedures generally should specify which groups, positions, or individuals, whether inhouse or third-party, are responsible for implementing and administering the policies and procedures, including specifying those responsible for communicating incidents internally and making decisions with respect to reporting to the Commission and disclosing to clients and investors certain incidents.” In summary, “reasonable security” according to the SEC implies management accountability for the cyber security function.
Key Areas Required for Information Security Policies
In addition to the requirement for management accountability, “reasonable” security includes covering key topics within the written program. The proposal requires organizations to establish written information security policies in the following areas: (a) Cyber Risk Assessment; (b) User Security and Access; (c) Information Protection; (d) Threat and Vulnerability Management, and (e) Cybersecurity Incident Response and Recovery.
Organizations that have gaps in security policy coverage can leverage templates, such as the comprehensive library of pre-written information security policies covering each of these key areas and more.
Require Disclosure of Cybersecurity Risks and Incidents
Currently advisors are required to disclose business practices, fees, etc. on Form ADV Part 2A. The new rule amends Form ADV Part 2A to require disclosure of cybersecurity risks and incidents to an adviser’s clients and prospective clients.
Funds are under a similar requirement. Specifically, the amendments require a description of any significant fund cybersecurity incidents that have occurred in the last two fiscal years in funds’ registration statements, tagged in a structured data language.
Cyber Security Incident Reporting
The update also includes a new rule 204-6 that requires specific reporting of cyber security incidents. This would require advisers to report significant cybersecurity incidents to the Commission, including on behalf of a fund or private fund client, by submitting a new Form ADV-C.
This reporting requirements implies that an organization have several key controls in place:
- The ability to report and track cyber security incidents;
- A formal response plan to respond to incidents;
- A documented process for analyzing and reporting incidents to authorities in the proper format.
Cybersecurity-related books and records
Additionally, the proposal sets forth new recordkeeping requirements for advisers and funds that are designed to improve the availability of cybersecurity-related information and help facilitate the Commission’s inspection and enforcement capabilities. The requirement is to “maintain, make, and retain certain cybersecurity-related books and records.”
Similarly, proposed rule 38a-2 under the Investment Company Act would require that a
fund maintain copies of its cybersecurity policies and procedures and other related records
specified under the proposed rule. This implies that organizations must be diligent about keeping documentation that supports their program.
Streamlining Compliance with SEC Cyber Requirements
For organizations that must comply with the new rules, the ComplianceShield platform from Information Shield can help address all of these key areas:
1. Adopt and implement written policies and procedures;
ComplianceShield contains a comprehensive library of security policy templates covering all of the key cyber requirements of the SEC and many other frameworks. In addition to the time-saving templates, ComplianceShield helps implement written policies by tracking their acknowledgement by all personnel. An audit trail of policy and procedure versions also help maintain “books and records” regarding the management of cyber risks.
2. Report significant cybersecurity incidents to the Commission;
ComplianceShield enables development and management incident response in several areas. First, built-in incident reporting and tracking helps formalize the incident response program. Second, a robust set of incident response policies and procedures are included as Templates within the software. Organizations can use ComplianceShield as a “system of record” for reporting and managing cyber security events and incidents.
3. Enhance adviser and fund disclosures related to cybersecurity risks and incidents;
ComplianceShield enables an organization to quickly understand the cyber risks that are likely to impact the organization, and then the related controls necessary to mitigate the risks. A complete set of Risk Management policy templates enables organizations to quickly document the risk management function to enable formal analysis and reporting.
4. Maintain, make, and retain certain cybersecurity-related books and records;
The ComplianceShield platform enables an organization to maintain all compliance related information in a single, secure portal. Using our Compliance Wizard, organizations can build and document a “reasonable” cyber security program in just minutes, and then maintain these documents over time. Our Cyber Risk Score report enables metrics and benchmarks against best practices and industry peers.
5. Enable Management Accountability for Cyber Security
For any organization to demonstrate “reasonable” security, it must be able to demonstrate that senior management is formally involved and accountable for cyber practices. ComplianceShield enables your organization to quickly define and track management accountability for the cyber security program. The platform includes a library of pre-written information security roles and responsibilities, and then ability for the organization to assign and track responsibility for cyber security controls.
A 14 day free trial of ComplianceShield is available for interested organizations.