The SEC’s cyber security rules are coming in April

      By now everyone should understand the SEC is proposing rule 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act. The proposed rule is expected to be finalized in April 2023. Components of this rule have been widely telegraphed for the better part of a decade under prior regulations such as Reg S-P and Reg S-ID. Though the rule has not yet been finalized the proposed regulation contains 12 expected requirements.
      Existing RegulationsAtoms / Icons / plusExpand

      Reg S-P

      S-P – (Policies and Procedures) For example, advisers and funds are required to, among other things, adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.

      Reg S-ID

      S-ID- (Red Flags) program must include reasonable policies and procedures to identify and detect relevant red flags, as well as respond appropriately to red flags so as to prevent and mitigate identity theft. (Insider Threats) In addition, because fraudulent activity could result from cyber security or data breaches from insiders, such as advisory or fund personnel, advisers and funds often take precautions concerning information security specifically related to insiders.

      Read more

      These requirements include (see breakdown below):

      1. Policies and procedures
      2. Risk assessment
      3. User security and access
      4. Information protection
      5. Threat and vulnerability management
      6. Cyber security incident response and recovery
      7. Annual review and required written reports
      8. Fund board oversight
      9. Recordkeeping
      10. Incident reporting (Form ADV-C)
      11. Adviser disclosure of a cyber security incident
      12. Fund disclosure of a cyber security incident.

      The rule is widely expected to pass in its current form and many in the cyber security community argue that the rule does not go far enough.

      Sample ADV-C

      Proposed Rule Components

      Policies and procedures

      1. Adopt and implement cyber security policies and procedures
      2. Tailor policies and procedures to fit the nature and scope of the business.
      3. Indicate parties responsible for administration, implementation, and communication.
      4. Reviewed at least annually

      Risk assessment

      1. Categorize and prioritize risk.
      2. Identify Service providers that receive, maintain or process adviser or fund information (Vendor Management).
      3. Risk assessment should include written documentation.
      4. Risk assessment should be conducted periodically.

      User security and access

      1. Require standards of behavior (Acceptable Use Policy, or AUP).
      2. Identify and authenticate individual users.
      3. Create procedures for distribution, revocation and replacement of passwords or authentication methods.
      4. Restrict access to adviser or fund information or those who require access to perform their job function.
      5. Secure remote access technologies

      Information protection

      1. Assess the sensitivity and importance of adviser or fund information.
      2. Identify any adviser or fund information that is personal.
      3. Assess where and how adviser or fund information is access, stored and transmitted AND monitoring this information in transmission.
      4. Assess adviser or fund information systems access control and malware protection. Assess the potential effect of a cyber security incident involving an adviser or fund information on the adviser or fund and its clients or shareholders including the ability to continue to provide service.

      Threat and vulnerability management

      1. Detect, mitigate, and remediate threats and vulnerabilities through ongoing monitoring including internal and externally facing systems.
      2. Once identified threats and vulnerabilities should minimize the window of opportunity to exploit vulnerable hardware and software.
      3. Adopt policies that establish accountability including intake, assignment, escalation, remediation, and testing.

      Cyber security incident response and recovery

      1. Implement measures to detect respond to and recover from a cyber security incident including the continued operation of the fund or adviser, the protection of systems and information therein, the sharing of communications both internal and external as well as reporting to the Commission.
      2. Prepare written documentation of ANY cyber security incident including response and recovery from an incident.

      Annual review and required written reports

      1. Review and assess the cyber security policies and procedures including any changes over the review period.
      2. Prepare a written report that contains: the annual review, the assessment, control tests performed, and documentation of any cyber security incidents that occurred since the last report as well as any material changes in policies and procedures since the last report.

      Fund board oversight

      1. The fund’s board must approve the funds cyber security policies and procedures and review the written report in cyber security incidents and material changes to the cyber security policies.
      2. Board oversight should not be a passive activity.


      1. Advisers must maintain a copy of their cyber security policies and procedures that are in effect or have been in effect for the last 5 years.
      2. a copy of the written report/annual review for the last 5 years.
      3. a copy of any completed ADV-C completed for the last 5 years.
      4. Records of documenting cyber security incidents including response and recovery for the last 5 years.
      5. Records documenting a risk assessment for the last 5 years.

      Incident reporting (Form ADV-C)

      1. Disclose and Report a cyber security incident via the IARD system and completion of form ADV-C within 48 hours.
      2. Amend and update the form as new information is uncovered and as necessary.
      3. A new form housed within the IARD system for the reporting of a cyber security incident. See sample attached.

      Adviser disclosure of a cyber security incident

      1. Disclose cyber security risks in plain English.
      2. “Cyber security Risks and Incidents” will be added to Form ADV’s narrative brochure, or Part 2A.
      3. Disclose ALL cyber security risks that could materially impact advisory services as well as how they address, prioritize, and address risk
      4. Deliver an interim disclose to existing clients.
      5. List cyber security incidents within the last 2 fiscal years that led to harm the adviser or clients.

      Fund disclosure of a cyber security incident

      1. Disclose cyber security risks in plain English to prospective and current investors.
      2. The fund would be required to disclose any significant fund cyber security incident that has occurred during its last two fiscal years.

      If you would like to find out more about how our team of dedicated cyber security advisors can help you with your specific requirements, please contact us below.

      Contact Us

      Read the SEC Press Release in full

       Next post

      More like this

      FINRA highlights cyber security as one of the top risks facing the financial industry

      FINRA recently released their “2023 Risk Profile” report, highlighting cyber security as one of the major threats confronting the financial…
      Read more

      Upcoming cyber regulations - what can you do to prepare?

      On 4 January 2023, the current administration released its Fall 2022 regulatory agenda. In this document they outlined the upcoming…
      Read more

      Cyber Risk in the Middle East – How secure is your firm and its ecosystem?

      Cyber-attacks are the unauthorised exploitation of systems, networks and technologies and they have been a high-risk item on companies' agendas…
      Read more

      Cybersecurity Awareness Month – a focus for asset managers

      Cybersecurity Awareness Month occurs each October and is a collaboration between government and private industry, designed to promote the importance…
      Read more

      eComms compliance – the SEC continues its scrutiny and issues substantial fines

      In September 2021, the SEC began its focus on how banks were monitoring, archiving and safeguarding business-related eComms being undertaken…
      Read more

      What role should NEDs play in cybersecurity?

      Waystone Compliance Solutions’ Chief Information Security Officer, Conor Flynn, was recently featured in an Assured article where he provided insight…
      Read more