The SEC’s cyber security rules are coming in April 2023

      By now everyone should understand the SEC is proposing rule 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act. The proposed rule is expected to be finalized in April 2023. Components of this rule have been widely telegraphed for the better part of a decade under prior regulations such as Reg S-P and Reg S-ID. Though the rule has not yet been finalized the proposed regulation contains 12 expected requirements.
      Existing RegulationsAtoms / Icons / plusExpand

      Reg S-P

      S-P – (Policies and Procedures) For example, advisers and funds are required to, among other things, adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.

      Reg S-ID

      S-ID- (Red Flags) program must include reasonable policies and procedures to identify and detect relevant red flags, as well as respond appropriately to red flags so as to prevent and mitigate identity theft. (Insider Threats) In addition, because fraudulent activity could result from cyber security or data breaches from insiders, such as advisory or fund personnel, advisers and funds often take precautions concerning information security specifically related to insiders.

      Read more

      12 Expected Requirements of SEC Cyber Security Rules

      These cyber security requirements include (see breakdown below):

      1. Policies and procedures
      2. Risk assessment
      3. User security and access
      4. Information protection
      5. Threat and vulnerability management
      6. Cyber security incident response and recovery
      7. Annual review and required written reports
      8. Fund board oversight
      9. Recordkeeping
      10. Incident reporting (Form ADV-C)
      11. Adviser disclosure of a cyber security incident
      12. Fund disclosure of a cyber security incident.

      The rule is widely expected to pass in its current form and many in the cyber security community argue that the rule does not go far enough.

      Sample ADV-C

      Proposed Rule Components

      Policies and procedures

      1. Adopt and implement cyber security policies and procedures
      2. Tailor policies and procedures to fit the nature and scope of the business.
      3. Indicate parties responsible for administration, implementation, and communication.
      4. Reviewed at least annually

      Risk assessment

      1. Categorize and prioritize risk.
      2. Identify Service providers that receive, maintain or process adviser or fund information (Vendor Management).
      3. Risk assessment should include written documentation.
      4. Risk assessment should be conducted periodically.

      User security and access

      1. Require standards of behavior (Acceptable Use Policy, or AUP).
      2. Identify and authenticate individual users.
      3. Create procedures for distribution, revocation and replacement of passwords or authentication methods.
      4. Restrict access to adviser or fund information or those who require access to perform their job function.
      5. Secure remote access technologies

      Information protection

      1. Assess the sensitivity and importance of adviser or fund information.
      2. Identify any adviser or fund information that is personal.
      3. Assess where and how adviser or fund information is access, stored and transmitted AND monitoring this information in transmission.
      4. Assess adviser or fund information systems access control and malware protection. Assess the potential effect of a cyber security incident involving an adviser or fund information on the adviser or fund and its clients or shareholders including the ability to continue to provide service.

      Threat and vulnerability management

      1. Detect, mitigate, and remediate threats and vulnerabilities through ongoing monitoring including internal and externally facing systems.
      2. Once identified threats and vulnerabilities should minimize the window of opportunity to exploit vulnerable hardware and software.
      3. Adopt policies that establish accountability including intake, assignment, escalation, remediation, and testing.

      Cyber security incident response and recovery

      1. Implement measures to detect respond to and recover from a cyber security incident including the continued operation of the fund or adviser, the protection of systems and information therein, the sharing of communications both internal and external as well as reporting to the Commission.
      2. Prepare written documentation of ANY cyber security incident including response and recovery from an incident.

      Annual review and required written reports

      1. Review and assess the cyber security policies and procedures including any changes over the review period.
      2. Prepare a written report that contains: the annual review, the assessment, control tests performed, and documentation of any cyber security incidents that occurred since the last report as well as any material changes in policies and procedures since the last report.

      Fund board oversight

      1. The fund’s board must approve the funds cyber security policies and procedures and review the written report in cyber security incidents and material changes to the cyber security policies.
      2. Board oversight should not be a passive activity.


      1. Advisers must maintain a copy of their cyber security policies and procedures that are in effect or have been in effect for the last 5 years.
      2. a copy of the written report/annual review for the last 5 years.
      3. a copy of any completed ADV-C completed for the last 5 years.
      4. Records of documenting cyber security incidents including response and recovery for the last 5 years.
      5. Records documenting a risk assessment for the last 5 years.

      Incident reporting (Form ADV-C)

      1. Disclose and Report a cyber security incident via the IARD system and completion of form ADV-C within 48 hours.
      2. Amend and update the form as new information is uncovered and as necessary.
      3. A new form housed within the IARD system for the reporting of a cyber security incident. See sample attached.

      Adviser disclosure of a cyber security incident

      1. Disclose cyber security risks in plain English.
      2. “Cyber security Risks and Incidents” will be added to Form ADV’s narrative brochure, or Part 2A.
      3. Disclose ALL cyber security risks that could materially impact advisory services as well as how they address, prioritize, and address risk
      4. Deliver an interim disclose to existing clients.
      5. List cyber security incidents within the last 2 fiscal years that led to harm the adviser or clients.

      Fund disclosure of a cyber security incident

      1. Disclose cyber security risks in plain English to prospective and current investors.
      2. The fund would be required to disclose any significant fund cyber security incident that has occurred during its last two fiscal years.

      If you would like to find out more about how our team of dedicated cyber security advisors can help you with your specific requirements, please contact us below.

      Contact Us

      Read the SEC Press Release in full

      Previous post Next post

      More like this

      SEC Commissioner Lizárraga’s speech at the Digital Directors Network 2023 conference

      Recently, Commissioner Lizárraga spoke at the Digital Directors Network 2023 conference. We can gain valuable insights from the speeches that…
      Read more

      Guidance on ChatGPT (or other AI language models) For Regulated Firms

      Over the last few months many clients have been asking for guidance as it relates to ChatGPT and other natural…
      Read more

      FINRA highlights cyber security as one of the top risks facing the financial industry

      FINRA recently released their “2023 Risk Profile” report, highlighting cyber security as one of the major threats confronting the financial…
      Read more

      Upcoming cyber regulations - what can you do to prepare?

      On 4 January 2023, the current administration released its Fall 2022 regulatory agenda. In this document they outlined the upcoming…
      Read more

      Cyber Risk in the Middle East – How secure is your firm and its ecosystem?

      Cyber-attacks are the unauthorised exploitation of systems, networks and technologies and they have been a high-risk item on companies' agendas…
      Read more

      Cybersecurity Awareness Month – a focus for asset managers

      Cybersecurity Awareness Month occurs each October and is a collaboration between government and private industry, designed to promote the importance…
      Read more