Regulatory Alert: SEC Proposes Cybersecurity Rule for Market Entities, Investment Advisors, and Funds
As part of a comprehensive effort to enhance cybersecurity preparedness and resilience across all registrants of the Securities and Exchange Commission (SEC), the SEC has:
- Proposed Cybersecurity Risk Management Rule for “Market Entities”
- Reopened the February 2022 proposal on Cybersecurity Risk Management for Investment Advisers and Funds
The proposed rules are substantially similar to regulatory guidance issued by the SEC over the past 10+ years. As such, content from previous SBC alerts that cover notable regulatory guidance has been included in the appendix of this alert. The proposed rules and related actions are outlined in this SBC Cybersecurity Alert…
SBC Research & Insights: Mitigating Cybersecurity Threats and Vulnerabilities via Effective Vendor Risk Management Programs
The intent of this document is to present context required in evolving our cybersecurity due diligence programs, to summarize applicable regulatory requirements, and to outline best practice considerations for performing effective vendor cybersecurity risk management. Simultaneously, this paper highlights cleverDome, Inc., an organization with a vision of collective industry action to solve cybersecurity problems in new and innovative ways.
Regulatory Alert: SEC Proposes Cybersecurity Rules for Investment Advisors
The SEC has proposed cybersecurity rule 206(4)-9, for investment advisors, and rule 38a-2, for asset managers. As SEC Chair Gensler has previously indicated, the SEC is considering several rule changes to strengthen the cybersecurity programs of SEC registrants. These current proposals, focused on SEC-registered investment advisers and funds, seek to improve business practices around cybersecurity and cyber risks, specifically maintaining the security of data, IT systems, and networks, promoting resiliency and incident response, and addressing the timeliness and materiality of cybersecurity incident notifications and disclosures. Registered investment advisers, investment companies, and investment funds should consider how these proposals will impact their current operations and risk management strategies, as well as reporting and disclosures activities.
Cybersecurity Alert: Summary of Notable Cybersecurity Frameworks and Standards
Cybersecurity Alert: Summary of Cybersecurity Guidance from Financial Services Regulators
NASD (n/k/a FINRA) Rules of Fair Practice have always required confidential treatment of customer information. Regulation S-P further strengthened this requirement. Brokers, dealers, investment companies, and investment advisers registered with the SEC are required to:
- Adopt reasonably designed written policies and procedures addressing administrative, technical, and physical safeguards for the protection of customer information and records; and
- Protect against any anticipated threats or hazards to the security or integrity of customer records and information, and against unauthorized access to or use of customer records or information.
Business practices have evolved significantly since the time that FINRA and the SEC originally issued guidance regarding the protection of customer information. This alert summarizes such cybersecurity guidance.
SBC Research & Insights: Utilizing Cybersecurity Risk Assessments to Take Focused Action
The menace of cybercrime is becoming more automated and sophisticated. Financial services firms such as brokers, dealers, asset managers, and investment advisors are high-value targets due to the sensitive information they are required to gather and maintain. This SBC Whitepaper shows you how to use a cybersecurity risk assessment to take focused action to be compliant with regulatory guidance and be secure using our technical know-how.
Your Cyber Expert
Paul is an experienced financial services industry executive serving as a Chief Information Security Officer with multiple Broker Dealers, Registered Investment Advisors, Wealth Managers, and Insurance Firms.
Paul and his team have completed over 300 cybersecurity risk assessments over the past five years and performed vendor risk assessments on hundreds of third parties serving the independent advice industry.