New SEC Rules: Why Investment Firms Must Step up their Cybersecurity Oversight
The alternative investment industry is under mounting scrutiny from multiple angles. In a complex, rapidly shifting regulatory landscape, firms must not only demonstrate due diligence, compliance, and transparency to their investors, but also keep up with a range of international policies and laws on data privacy and cybersecurity. All the while, cyber threats continue to evolve in sophistication and scale – with potentially devastating results for businesses.
As we journey through 2023, the dial is about to be cranked up even further. The Securities and Exchange Commission (SEC) is expected to finalize new cybersecurity requirements for registered advisors and funds in April. Companies will be required to adopt and implement written cybersecurity policies and procedures to address risk and prevent attacks, regularly testing the security of their IT systems through robust penetration testing and other vulnerability assessments. Firms will also need to report any material cybersecurity incidents within a strict timeframe and make clear disclosures about their specific security protocols and risk management strategies.
The proposed rules, as part of Rule 206(4)-9, are designed to bolster investors' confidence in advisors' and funds' operational resiliency, as well as the safety of their investments. They are also likely to be crucial in strengthening firms’ cybersecurity preparedness in the face of rising threats. However, the road to regulatory compliance can be complex and full of obstacles for companies to navigate – and the new requirements will have significant implications for investment advisors and private fund cybersecurity programmes moving forward.
With April only weeks away, firms need to proactively prepare for and respond to these imminent rules. This will involve conducting regular penetration testing, having strong written policies in place, and providing continual cybersecurity education and training.
The impact on firms
Information security and cybersecurity risk for investment advisors and funds have emerged as key focus areas for regulatory bodies like the SEC. The sector depends on a broad array of interconnected systems and networks to carry out critical business operations – and the shift towards increasingly distributed and flexible ways of working has left firms more vulnerable to breach.
Accordingly, security regulations are becoming stricter and more multi-layered. The new SEC regulations will codify best practice into hard fast rules, requiring firms to consistently implement and maintain in-depth cybersecurity, governance, and oversight at every level of the organization. Any deficiencies in disclosure controls and security procedures could result in severe financial penalties.
The proposal will require companies to actively and continuously secure their networks and devices through threat and vulnerability management to detect, mitigate, and remediate cybersecurity risks. Penetration testing will be crucial to ensure this security and compliance. Replicating the vantage point of a malicious actor allows firms to see the ‘real-life’ consequences of a cyber-attack, exposing system vulnerabilities so that they can be swiftly resolved with heightened proactive measures.
Under the new rules, companies are additionally required to adopt, implement, and annually review stringent policies that are designed to address cybersecurity risks. This includes coverage for business continuity planning and incident response. Firms must put dedicated time aside to ensure all security documentation is up-to-date and consistent with business objectives. These policies will provide a roadmap for day-to-day operations, helping companies to evolve in line with changing regulations and respond appropriately to future security and compliance challenges. rations, helping companies to evolve in line with changing regulations and respond appropriately to future security and compliance challenges.
Furthermore, the proposal will require advisors to report significant cybersecurity incidents to the SEC within 48 hours. Like advisors, funds will also be required to provide prospective and current investors with cybersecurity-related disclosures, including any incidents that have occurred in the last two fiscal years.
Firms now have an opportunity to take a proactive stance ahead of this change, putting measures in place to meet all the requirements and produce evidence of their progress in building cyber resilience and preparedness.
In addition to strengthening their written information security policies, incident response plans, and business continuity plans, organizations need to actively take account of their risks. Conducting regular and thorough cyber risk assessments enables firms to determine their specific cybersecurity vulnerabilities so that they can correct any issues before consequences emerge. Risk management is a key focus for the SEC’s cybersecurity requirements – and it extends far beyond the firm itself. Advisors and funds must also undertake third-party and vendor risk assessments to ensure they are not caught out by weaknesses in the wider ecosystem of partners, suppliers, and customers.
Firms should also conduct network and cloud penetration testing to identify security gaps and ensure their infrastructure remains robust and well-protected. Furthermore, firms should seriously consider conducting social engineering testing alongside their pentesting to see how they hold up against more sophisticated malicious actors, such as those who recently leveraged LockBit to conduct a ransomware attack against ION Group.
End-user education must also play a central role in firms’ preparations. Supported by the right business policies and controls, multi-layered cybersecurity awareness and training exercises help to ensure that employees are familiar with compliance demands and understand their important role in protecting the company. This education must be continuously updated as cyber threats and regulations evolve.
Staying one step ahead
Change is the only constant in the cybersecurity regulatory landscape. It can be challenging for advisors and funds to continually stay one step ahead of these changes, especially within the complex and demanding context of day-to-day business. However, it has become vital for firms to pre-empt and prepare for future compliance requirements as regulators tighten the screws.
To maintain compliance during this time of change, alternative investment firms should take three key steps first, conduct robust cybersecurity risk assessments and continuous vulnerability management to understand and mitigate risk wherever possible. Second, ensure they have effective written policies and adhesion in place. And third, user education must become ongoing and multi-layered, binding the human and technical foundations of cybersecurity together to ensure firms remain on the front foot.
Christian Scott is CISO/COO at Gotham Security, an Abacus Group company
© The Sortino Group Ltd
All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or scanning or otherwise, except under the terms of the Copyright, Designs and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency or other Reprographic Rights Organisation, without the written permission of the publisher. For more information about reprints from AlphaWeek, click here.