SEC cyber rule proposal poses challenges for small advisers

SEC cyber rule proposal poses challenges for small advisers
Firms will have to beef up their ability to detect, react to and report attacks, which is easier to do if you have an IT department.
FEB 10, 2022

When it comes to cybersecurity, the financial advice sector may be a step ahead of the SEC, but a rule proposal raises the compliance stakes and could pose challenges for small advisers.

On Wednesday, the Security and Exchange Commission voted to release a proposal that would require registered investment advisers and investment companies to develop written policies and procedures to address cybersecurity risks that could harm clients or fund investors.

The proposal would require advisers to report cyberattacks to the SEC, disclose them on their Form ADV and maintain books and records related to cybersecurity.

The proposal comes after years of cybersecurity guidance from the SEC, which also has brought an enforcement case based on existing customer protection rules. The agency’s push on the topic has spurred many advisers to develop cyber policies.

But now firms, even if they have a cybersecurity response program, it will have to meet the specifics of a stand-alone SEC rule on the issue.

“It codifies what many advisers are already doing as part of their business continuity planning,” said Ken Joseph, managing director and head of U.S. financial services compliance and regulation at Kroll, a consulting firm. “If adopted, it increases the possibility of advisers being liable for breaking what would now be a new [cybersecurity] rule.”

As is the case with many regulations, it will be easier for large firms to comply. Firms will have to beef up their ability to detect, react to and report attacks, which is easier to do if they have an IT department.

“The rule will strike many advisers and funds as adding to what they’re already doing,” said Michael Birnbaum, a partner at Morrison & Foerster and a former SEC senior trial counsel. “I’m hopeful this will not add additional unnecessary burdens. If this is implemented in a heavy-handed way, it may present significant challenges, particularly for small advisers.”

One area where small firms may have trouble is in determining whether a cyber attack merits reporting to the SEC and then telling the agency within 48 hours. The proposal says any incident that poses substantial harm to clients or disruption to the business must be reported.

“It will be difficult to meet that quick turnaround time, especially for small to midsize firms that don’t have an in-house IT department,” said Craig Moreshead, managing director at Foreside, a compliance consulting firm. “The commission will have to add more specifics to help firms figure out if something is significant or not.”

A cybersecurity rule would almost certainly require advisory firms to spend more on compliance.

Firms are going to have to have “more cyber experts on hand, either outsourced or in-house,” Moreshead said. “I can’t see smaller firms going it alone and being able to comply.”

But when firms do comply and report incidents to the SEC, it could create another problem, Joseph said.

Publicly disclosing cybersecurity risks and incidents “could itself provide a treasure trove of valuable information for bad actors who are on the prowl for information that could inform the tactics and strategies they use to inform cyber-attacks,” said Joseph, a former SEC examination official. “You have to strike the right balance in assisting firms in boosting their defenses and providing appropriate disclosures to investors while not creating any vulnerabilities for [hacker] to exploit.”

The SEC has put the proposal out for public comment for 60 days.


SEC looking at low-hanging fruit

Latest News

Financial advisors, what is your volatility game plan for client management?
Financial advisors, what is your volatility game plan for client management?

With targeted "comfort calls" and strategically automated follow-ups, advisors who leverage their CRM systems effectively can show up when clients need them most.

Trump eyes no taxes for Americans making less than $150k, says Lutnick
Trump eyes no taxes for Americans making less than $150k, says Lutnick

The plan could offer $24,000 in relief for some taxpayers, but experts warn of consequences.

No new trial for convicted GPB Capital executives
No new trial for convicted GPB Capital executives

"I've seen lots of denial in this business but this GPB thing take the cake," says one industry executive.

BlackRock-led deal for Panama Ports draws ire from China
BlackRock-led deal for Panama Ports draws ire from China

Commentary from state-owned publication blasts sale to investor consortium as "spineless groveling," denting Hong Kong-based firm's stock.

Gold soars past $3,000 as Trump turbocharges record rally
Gold soars past $3,000 as Trump turbocharges record rally

Higher interest rates and a strong US dollar, which traditionally act as headwinds, haven't deterred market-stung investors from seeking refuge in the yellow metal.

SPONSORED Beyond the all-in-one: Why specialization is key in wealth tech

In an industry of broad solutions, firms like intelliflo prove 'you just need tools that play well together'

SPONSORED Record growth: Interval funds emerge as key players in alternative investments

Blue Vault Alts Summit highlights the role of liquidity-focused funds in reshaping advisor strategies