Part 1: SEC’s Proposed Cybersecurity Risk Management Rule for Investment Advisors and Funds: What to Know

Gaini Umarov:

Thank you, Jerry. Glad to be here. My name is Gaini Umarov. I'm a Senior Manager in the IT Risk, Data Privacy and Security department. I specialize in IT governance, risk and compliance.

JR:

What we're going to do is break this up in a couple of different ways. We're going to talk about first in this series, the why and the what, and then the second part will be really the how fund managers and investment advisors could really look at this reg and implement it effectively. So ultimately on the why, really want to take you through what the SEC has done over the years. So, this is not new to many fund managers and investment advisors, including public companies. So, over the years, even going back eight or nine years, the SEC really took action to look at cybersecurity in a different way. And what that means is they've invested a lot more time in making sure that they allowed the investment advisors funds and public companies again to comply with some new regulations and have a cybersecurity posture that they felt was necessary to protect investor data.

So, they created an enforcement division probably about eight years ago at this point, and that really was the start. So, back in 2022 is when this proposed ruling was put out there. And I will tell you there was a lot of comment letters on this that is public knowledge and some pushback on how to actually implement this. So, some of it was ambiguous. So, ultimately, our goal today on the why and the what in this series is to take you through that. Why are they doing this and what can you expect in this regulation? So, everybody knows that there have been a lot of cybersecurity incidents over the years. Bank of America, Fidelity had some incidents, and clearly those are public companies and for those of you who don't know, public companies have just recently, and the SEC had proposed these rules a couple of years ago as well, but now they are fully adopted.

The public companies now had to disclose the rest, their security posture. And this is somewhat similar now, although this is a proposed rule, what I will say is we think, and others think that there's a potential that this will be adopted soon in 2024, maybe mid-2024. So, what we're trying to do here is have everybody understand what you can do again to comply with this and also the how. So that second part will again be at the how. So, what I wanted to make sure we talk about right now is again, the why. And there's a lot of different components of this, which we'll go through in a minute, but I wanted to at least take it to Gaini and talk to Gaini about what you think on the why and the what.

GU:

I totally agree in the fact that we know about these incidents because public companies have had the requirement to disclose these issues. This year it was fully adopted for public companies to disclose cybersecurity incidents. And this reg affects non-public companies, the smaller the mid-sized ones that are not public. And these requirements should significantly increase the transparency as well as the ability to rely on these funds to disclose issues that might affect stakeholders. Ultimately, people are investing and whose money is being managed.

JR:

This is top of mind for sure. That's a great point, Gaini for boards as well, executive management. We're seeing that trickle down even from the public companies. So, clearly investment advisors and fund managers, small-to-large, have been viewing this as a priority item. And again, the SEC is doing the same. I mean, the wise scenario is pretty evident. Generative AI is allowing hackers to do a lot more and be a lot more effective at getting into customer data, getting into networks, etcetera. Phishing campaigns, ransomware, you name it, we hear it in the news all the time and it continues to happen. So, it's not a matter of why or if. It's when. So ultimately what we're going to focus on a little bit more obviously is the what. And what I wanted to make sure that we do is hit a couple key topics and also know that before we even go further, the SEC again has invested a lot of time in this and effort and resources to make sure that others see this as an imperative item. And again, the impending proposed rule we think is coming soon. So, with that said, let's go into a little bit of the what, and let's talk about that a little bit. So Gaini, you start that.

GU:

Of course, what we noticed from the reg is that there's four main components that the reg proposes. It all starts with policies and procedures. The fact that the SEC wants all the non-public companies, non-public funds to start documenting detailed policies and procedures and how to enact if anything actually happens, if any of these cybersecurity incidents occur, they're proposing a way to help all the individuals within the firm to act in a unified way because all these cyber incidents need to be acted on swiftly. So, the first thing we see is the requirement to do policies, procedures. Now, before we get into that, the reg also talks about annual risk assessments, which in our opinion is something that should come first. Knowing where your risks are and doing an effective annual risk assessment should help identify all the key risks that the organization is facing when it comes to this role, specifically when it comes to cybersecurity. This is something new for them that hasn't been done. So, I would assume that there's a lot of questions that arise from this. I think that the second piece that's very important, which I would ask you have more experience in the disclosure piece, would you be able to talk about more?

JR:

Yeah, sure. So, the second piece is really the breach notification and disclosure to the SEC. And there's even another piece. So, there's really four parts. You talked about policies and procedures, and there's layers beneath that that will even get into even more your risk assessment, the way the board has oversight over policies and procedures. The second, third and fourth are really the SEC's breach notification and disclosure. So, that's two and three and your record keeping. So, what I really want people to understand is that documentation is a real thing. It's something that takes time, it takes effort. We see a lot of our clients actually struggling to make sure that they keep that documentation, maintain it, manage it, and also update it on a regular basis because processes change all the time, right? Technology changes all the time. So, the processes will change with that.

So, when it comes to breach notification, I know there's a 48-hour rule on this at this point. Now, with public companies, what they did there, we may see this coming about with this ruling as well, where it's as you get notified, as you figure out that you actually have a material breach, and just keep in mind that what there is you have to define what that means for you. Did it have a significant impact on your operations? More importantly to investors. So, the ones that you represented as an investment advisor and a fund manager, do your fiduciary duty to protect their information, protect their money, which is already regulated. So, now it's going down to data and on cybersecurity, right? So, that breach notification at 48 hours I know is still in the ruling, but there's an element of, it's when you figure out that it's material and that how you disclose it is very important, how quickly you disclose to the SEC. And then again, the record keeping pretty straightforward. You have to maintain the records.

GU:

And it's funny that the fourth piece, the recordkeeping piece is probably something new to a lot of these funds. Previously, the retention periods and the requirements for recordkeeping wasn't as strict as what the new requirement proposes, which is the baseline for providing all these investigations, the right and accurate information to be able to identify how it happened, why, and to actually go and enforce any of the rules into the breaches.

JR:

I think a lot of the enforcement actions to that point have really been in, there have been penalties from the cybersecurity enforcement action division. And that division and unit has put penalties on different investment advisors over the years. Again, because of that record keeping issue, not being able to disclose and provide information as to what happened. So, that's going to be really key. I mean, this is really truly an investment in compliance than being a good steward of the information that you're holding. And also keep in mind, and we'll get to this on the how. There's the element of third-party risk there. You're using a lot of third-party risk or you're using a lot of third parties to do what you do as a business for your investors. So how do you understand what they're doing on your behalf? And this could be professional service firms that you're using. This could be technology firms that you're using and vendors, et cetera. So really diving into that a little bit more as we get to the how, but that's really important. Starting again with the risk assessment. So can you go into a little bit more on a risk assessment process potentially and what that looks like.

GU:

Of course. And I don't think the risk assessment piece is new to a lot of our viewers, as that's probably the fundamental piece for any of the business process and IT. However, this cybersecurity element to it provides a new realm where you need to assess not just it's more of a combination now of what your third-party risk is, as well as how advanced or how cut edge certain tactics that you're using to protect yourself. Are you using good user management? Are you making sure that any of the breaches that occurred usually come from phishing campaigns? They come from within, and they're all targeted at the organization, not being familiar with how these tactics are executed. So, the big piece of this reg comes with the requirement of board and higher management, higher leadership sign off on all these policies and procedures, whereas these policies and procedures then further help identify what kind of risk assessments does the organization want to do.

Obviously when it comes to fund managers, a lot of these are data. I would say keeping the data within the organization and making sure that that data isn't available to outside sources. So, you have to really think can be careful what kind of third parties providers are using, where are they storing their information? And it's becoming more of a focus on the third party, or rather the sub-service organizations that these third parties achieve their goals. And often they are either data centers or outside cloud-based services that are often the targets of all these cybersecurity effects.

JR:

I've heard you talk about this many times obviously. Having the comprehensive risk assessment is really being proactive, right, and not reactive. So, ultimately helping an organization build the foundation, again, even the smaller organizations could have ten people and outsource everything that they do on the technology side, and maybe even other than technology, could even be accounting, et cetera. You have clients that do that as well. So, being proactive to identify, protect, detect, and respond is really, really important. So, I know that's the goal of the what is to really focus heavily on risk assessment, which is all great points.

GU:

The emphasis is to continuously do this. This is not something that should be done absolutely on its own. This is something that the SEC wants fund managers to fulfill. And on the other hand, if you look at it, it's just good practice. Even if it wasn't for this reg, this is something that if you proactively do, you inherently remove or reduce the risk of these incidents happening. So, it's just a proactive way of keeping your environment secure, which I think we can go into more into the second video.

JR:

Yeah, I agree. And ultimately, I think we covered a lot here. So, the why and the what, really important, right? Why is the SEC doing this? I mean, think about the environment that we're all in. Think about the risk posture that we need to have. Again, peace of mind over risk and opportunities. We haven't even really talked too much about the board oversight. We'll get to that in the how, because boards are also asking what do I need to do and how do I do it as well to stay informed. So, stay tuned for the second part, series and Giani, thank you again. And thank you all for listening.

^{Transcribed by Rev.com}