The SEC is proposing rules to regulate investment advisors and fund. The move comes amid a growing number of cyber-related incidents involving funds, with the latest being two rogue traders at Fidelity Securities who lost $4 million in client assets on November 29th alone.
The SEC has proposed cybersecurity guidance for investment funds and advisers. The SEC is proposing to require cyber risk management policies and procedures.
Last week, financial authorities proposed long-awaited cybersecurity guidelines for investment funds and advisors, requiring tens of thousands of businesses to notify intrusions within 48 hours.
The Securities and Exchange Commission proposed on Wednesday that funds and registered investment advisors adopt written policies and procedures for dealing with cybersecurity events and maintain extensive records on them. The agency said that significant occurrences should be communicated to investors and notified to authorities.
While the SEC has incorporated components of cyber advice in previous regulations, such as Regulation Systems Compliance and Integrity and Regulation S-ID (Identity Theft Red Flags Rule), this is the first time it has outlined the cybersecurity preparations it expects from advisors and funds.
“Most respectable investment advisors already have something in place; it’s part of their business-continuity planning and catastrophe and crisis management plans,” said Ken Joseph, managing director of Kroll Holdings Inc.’s financial services compliance and regulatory practice.
Subscribe to our newsletter
Cybersecurity WSJ Pro
WSJ’s worldwide team of reporters and editors provide cybersecurity news, analysis, and insights.
Before joining Kroll, Mr. Joseph spent 21 years as an SEC investigator. He believes the main difference in the regulator’s approach is the need that advisors disclose severe cyber breaches within 48 hours.
“They will also have to disclose that risk publicly to current and prospective customers if the regulation is implemented as drafted,” he added. Funds must report any “major cybersecurity events” from the previous two fiscal years in brochures and regulatory filings, according to the new regulations.
How the SEC defines “significant” remains a key question, said Kelly Koscuiszka, a partner at New York law firm Schulte Roth & Zabel LLP.
“It depends on the trigger,” she said.
The SEC defines a major incident as one that inhibits an advisor or fund from doing important activities, such as processing transactions, and states that a corporation must disclose if it has a “reasonable basis” to believe that a cyber event is happening. Data breaches are also classified as major occurrences by the SEC, which is seeking public input on its criteria.
Even if they utilize outsourced technology providers, the new standards throw a lot of the responsibility for cybersecurity preparations, record-keeping, and reporting on advisors. Funds must guarantee that their third-party technology vendors follow the new standards, according to the plan.
The headquarters of SolarWinds are located in Austin, Texas.
Getty Images/Suzanne Cordeiro/Agence France-Presse
“It really makes our life a bit simpler,” said George Ralph, worldwide managing director and chief risk officer of RFA Inc., a provider of financial technology services. “This is something we always advise folks to do, and now the SEC is stating it.”
The proposal is the agency’s most recent cybersecurity-related move.
The Securities and Exchange Commission (SEC) struck a $10 million settlement with analytics business App Annie Inc. in September, charging that the company deceived mobile app developers about its privacy protections. As part of the arrangement, App Annie didn’t confess to any wrongdoing. The SEC’s move, on the other hand, hinted that it would be scrutinizing third-party data providers, which investors increasingly depend on to execute trades.
The Securities and Exchange Commission (SEC) fined three investment businesses in August after hackers got into email accounts and stole personal information.
Last year, the Securities and Exchange Commission opened an inquiry into the breach of numerous government agencies and dozens of U.S. firms as a result of a hacked SolarWinds Corp. software update.
After Mandiant Inc., a cybersecurity business previously known as FireEye Inc., revealed that it had been hacked, US authorities only learnt of the incident.
Chairman of the Securities and Exchange Commission, Gary Gensler.
PHOTO: REUTERS/EVELYN HOCKSTEIN
“A lot of the inquiries were centered on how you learn about cyber occurrences as a victim, and how these things are disclosed,” Ms. Koscuiszka said of the subsequent SEC investigation.
Last year, the Biden administration implemented first-of-its-kind cyber event reporting standards for pipeline operators, who must report certain attacks within 12 hours, and rail operators, who must report hacks within 24 hours. Meanwhile, government agencies such as the Federal Trade Commission and the Federal Communications Commission have taken steps to regulate firms’ data use by considering new legislation or enforcing current ones more vigorously.
Despite these efforts, Congress failed in December to put hack-reporting provisions in the US military budget. Sens. Gary Peters (D-Michigan) and Rob Portman (R-Ohio) submitted a fresh package of proposed legislation this week that includes breach-reporting rules.
Angus King (I., Maine), Mark Warner (D., Va.), Jack Reed (D., R.I.), Susan Collins (R., Maine), Kevin Cramer (R., N.D.), Catherine Cortez Masto (D., Nev.), and Ron Wyden (D., Ore.) wrote to SEC chairman Gary Gensler on Tuesday, urging the agency to propose breach-reporting rules in coordination with National Cyber Director Chris Inglis. Mr. Gensler has suggested many times in recent months that new cybersecurity standards would be implemented.
“Investors want to know if corporations and investment managers place a high priority on cybersecurity.” They also have a right to be notified as soon as severe cybersecurity problems occur, according to the senators.
—This essay was co-written by David Uberti.
James Rundle can be reached at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
The “SEC Proposes Cybersecurity Rules for Investment Funds and Advisers” is a news article that discusses the SEC’s proposal to create rules for cybersecurity in investment funds. The article also includes a link to the proposed rule which can be found at https://www.sec.gov/rules/proposed/2018/33-8609.pdf Reference: sec cybersecurity rule.
- sec cybersecurity disclosure requirements
- sec cybersecurity guidance 2021
- sec cybersecurity framework
- cybersecurity disclosure controls
- finra cybersecurity