Page 50 - Investment Advisor June 2022
P. 50

COMPLIANCE COACH

                 By Thomas D. Giachetti




                 4 Ways SEC’s New Proposed Rules Put

                 Cybersecurity Front and Center


                 Despite pushback by industry, advisors and funds will need to update

                 and document their risk management in this area.


                     n its most focused and signifi-                                   rence of cybersecurity incidents, and
                     cant response to cyber threats in                                 Proposed Rule 38-2 would require
                 Inearly 20 years, the Securities and                                  funds to maintain copies of its cyber-
                 Exchange Commission released on Feb.                                  security policies and procedures and
                 9 proposed new rules regarding cyberse-                               other related records.
                 curity risk management, risk disclosures                              Bottom line: The SEC expects advi-
                 and reporting. My  partner Trina  Glass                             sors and funds to implement information
                 spoke to me about the impact that Rule                              security controls designed to prevent
                 206(4)-9 under the Investment Advisers                              interruptions to mission-critical services,
                 Act of 1940 and Rule 38-2 under the                                 protect investor information, records and
                 Investment Company Act of 1940 could                                assets and ensure business continuity.
                 have on the advisory industry.        The submission of these confiden-  That would mean that advisors and
                   Specifically, the proposed Cybersecurity   tial reports would allow the SEC to   funds would have to devote the necessary
                 Risk Management Rules would:        monitor and evaluate the effects of a   time, money and expertise to enhance
                   •  Require advisors and funds to adopt   cybersecurity incident on an advisor,   their cybersecurity programs, as the pro-
                    and implement written policies   a  fund  or  its  clients  and  determine   posed rules would require advisors and
                    and  procedures that are  reasonably   whether the incident creates any   funds  to  protect  more  data  and  ensure
                    designed to address cybersecurity risks.  potential systemic risks.  that all of their information systems are
                     Advisors would be required to   •  Enhance advisor and fund disclo-  adequately protected and captured by
                   conduct — and document in writ-    sures  related  to  cybersecurity  risks   a  comprehensive  risk  management  pro-
                   ing  —  periodic  assessments  of  its   and incidents.           cess. This includes data shared with and
                   cybersecurity risks and its informa-  The proposed rules would amend   accessed by third-party service providers.
                   tion  systems.  This  would  need  to   advisor and fund disclosure require-  Rule 206(4)-9 has its roots in the anti-
                   include identification of third-party   ments. Specifically, Form ADV Part 2A   fraud provision of the Advisers Act, which
                   service providers that receive, main-  would require disclosure of cyberse-  is typically applied broadly by the SEC
                   tain and process advisor or fund infor-  curity risks and incidents to the advi-  in enforcement actions and would likely
                   mation or its information systems.  sor’s clients and prospective clients.   lead to significant fines. The comment
                     It would also have to include draft   Funds would  be required to provide   period  on  the  proposed  rules  ended  on
                   information of security policies and   prospective and current investors a   April 11 with significant pushback from
                   procedures reasonably designed to 1)   description of any significant fund   the industry. Regardless, most advisors
                   minimize and monitor user-related   cybersecurity incidents that have   and funds will need to make substantial
                   risks and prevent unauthorized access,   occurred in the last two fiscal years   changes to their cybersecurity program
                   2) include measures to detect, mitigate   in the fund’s registration statements.   and should begin working with legal
                   and remediate cybersecurity threats   •  Require advisors and funds to main-  counsel to consider the potential applica-
                   and vulnerability, and 3) include mea-  tain, make and retain certain cyber-  tion of the proposed rules to their current
                   sures to detect, respond to and recover   security-related books and records.   cybersecurity practices and oversight.
                   from a cybersecurity incident.      Rule 204-2 under the Advisers Act
                   •  Require advisors to report significant   also would be amended to require   Thomas D. Giachetti is chairman of the
                     cybersecurity incidents to the SEC on   advisors to maintain certain records   Investment Management and Securities
                     proposed Form ADV-C, with similar   related to the proposed cybersecurity   Practice Group of Stark & Stark. He can be   Adobe Stock
                     reporting for funds.            risk management rules and the occur-  reached at [email protected].



              48 INVESTMENT ADVISOR JUNE 2022 | ThinkAdvisor.com
   45   46   47   48   49   50   51   52