Cybersecurity rule would clarify what SEC expects of advisers

Cybersecurity rule would clarify what SEC expects of advisers
A pending proposal likely would focus on strengthening advisory firms' disclosures and their preparedness for cyber risks.
JAN 27, 2022

The SEC hasn’t been shy about pushing financial advisers to protect their clients’ data from cybersecurity breaches, but a pending rulemaking likely will clarify the regulator's expectations.

Over the last few years, the Securities and Exchange Commission has issued cybersecurity guidance, made the topic an examination priority and brought enforcement cases that centered on cybersecurity lapses that violated existing customer protection rules.

Now the agency is poised to release a proposal in the next few months that would strengthen disclosures and preparedness related to cybersecurity risks for funds and investment advisers, according to an item on the regulator’s agenda.

“The industry needs guidance in this area,” said Amy Lynch, president and founder of FrontLine Compliance. “Smaller firms are struggling as to what they need to do. Having a written rule will level the playing field for the industry and give firms the necessary [direction] to implement systems that will actually protect their data.”

SEC Chairman Gary Gensler earlier this week outlined how the agency intends to step up its cyber oversight. In addition to the rule for funds and advisers, it’s working on a separate measure for public company disclosures related to cyber risks. It’s also considering updating rules regarding systems compliance for exchanges, and customer records and information protection for brokers, advisers and investment companies.

The SEC is making this push on cyber rules in part because the dramatic expansion of working from home has caused a greater reliance on technology while cyberattacks are becoming more aggressive.

“The SEC wants to make sure the policies, procedures and practices we had in place before the pandemic are still appropriate,” said Tiffany Smith, a partner at WilmerHale. “It’s about refreshing processes so they account for the current environment and the risks we’re facing.”

The SEC periodically critiques the financial industry’s cybersecurity practices. A cyber rule would likely address some of the problems the agency has observed.

“They’re just not satisfied with the control environment either from a technology perspective or a policies and procedures perspective,” said Scott Kimpel, a partner at Hunton Andrews Kurth.

The SEC won’t have to write a cyber rule for advisers from whole cloth. It can look to what other regulators have done, Lynch said.

The National Futures Association, for instance, implemented a rule that requires its members to adopt and enforce an information security program. New York and California have their own data protection laws.

“The SEC may take the NFA guidance as a starting point and could go further,” Lynch said. “They’ve got a road map to follow, and it makes it much easier for them when it comes to rulemaking.”

Gensler highlighted existing rules that could pertain to cybersecurity, such books-and-records, compliance and business continuity. A specific cyber rule could put it all in one place.

“The goal is a more robust cybersecurity environment and less enforcement activity due to a better understanding about compliance obligation,” Kimpel said.

Financial advisers don’t need to wait for a cyber rule to start bolstering their digital protections. Smith suggests they review the SEC examination priorities for cybersecurity mentions.

“Firms should make sure their policies and procedures satisfy the areas the staff is interested in,” she said.

Now is the time for brokers and advisers to tackle cybersecurity upgrades they’ve been putting off.

“You can get half of the way there, if your countermeasure suite is state of the art,” Kimpel said.

The onus of ESG investing

Latest News

SEC bars ex-broker who sold clients phony private equity fund
SEC bars ex-broker who sold clients phony private equity fund

Rajesh Markan earlier this year pleaded guilty to one count of criminal fraud related to his sale of fake investments to 10 clients totaling $2.9 million.

The key to attracting and retaining the next generation of advisors? Client-focused training
The key to attracting and retaining the next generation of advisors? Client-focused training

From building trust to steering through emotions and responding to client challenges, new advisors need human skills to shape the future of the advice industry.

Chuck Roberts, ex-star at Stifel, barred from the securities industry
Chuck Roberts, ex-star at Stifel, barred from the securities industry

"The outcome is correct, but it's disappointing that FINRA had ample opportunity to investigate the merits of clients' allegations in these claims, including the testimony in the three investor arbitrations with hearings," Jeff Erez, a plaintiff's attorney representing a large portion of the Stifel clients, said.

SEC to weigh ‘innovation exception’ tied to crypto, Atkins says
SEC to weigh ‘innovation exception’ tied to crypto, Atkins says

Chair also praised the passage of stablecoin legislation this week.

Brooklyn-based Maridea snaps up former LPL affiliate to expand in the Midwest
Brooklyn-based Maridea snaps up former LPL affiliate to expand in the Midwest

Maridea Wealth Management's deal in Chicago, Illinois is its first after securing a strategic investment in April.

SPONSORED How advisors can build for high-net-worth complexity

Orion's Tom Wilson on delivering coordinated, high-touch service in a world where returns alone no longer set you apart.

SPONSORED RILAs bring stability, growth during volatile markets

Barely a decade old, registered index-linked annuities have quickly surged in popularity, thanks to their unique blend of protection and growth potential—an appealing option for investors looking to chart a steadier course through today's choppy market waters, says Myles Lambert, Brighthouse Financial.