SEC cyber rule proposal poses challenges for small advisers

SEC cyber rule proposal poses challenges for small advisers
Firms will have to beef up their ability to detect, react to and report attacks, which is easier to do if you have an IT department.
FEB 10, 2022

When it comes to cybersecurity, the financial advice sector may be a step ahead of the SEC, but a rule proposal raises the compliance stakes and could pose challenges for small advisers.

On Wednesday, the Security and Exchange Commission voted to release a proposal that would require registered investment advisers and investment companies to develop written policies and procedures to address cybersecurity risks that could harm clients or fund investors.

The proposal would require advisers to report cyberattacks to the SEC, disclose them on their Form ADV and maintain books and records related to cybersecurity.

The proposal comes after years of cybersecurity guidance from the SEC, which also has brought an enforcement case based on existing customer protection rules. The agency’s push on the topic has spurred many advisers to develop cyber policies.

But now firms, even if they have a cybersecurity response program, it will have to meet the specifics of a stand-alone SEC rule on the issue.

“It codifies what many advisers are already doing as part of their business continuity planning,” said Ken Joseph, managing director and head of U.S. financial services compliance and regulation at Kroll, a consulting firm. “If adopted, it increases the possibility of advisers being liable for breaking what would now be a new [cybersecurity] rule.”

As is the case with many regulations, it will be easier for large firms to comply. Firms will have to beef up their ability to detect, react to and report attacks, which is easier to do if they have an IT department.

“The rule will strike many advisers and funds as adding to what they’re already doing,” said Michael Birnbaum, a partner at Morrison & Foerster and a former SEC senior trial counsel. “I’m hopeful this will not add additional unnecessary burdens. If this is implemented in a heavy-handed way, it may present significant challenges, particularly for small advisers.”

One area where small firms may have trouble is in determining whether a cyber attack merits reporting to the SEC and then telling the agency within 48 hours. The proposal says any incident that poses substantial harm to clients or disruption to the business must be reported.

“It will be difficult to meet that quick turnaround time, especially for small to midsize firms that don’t have an in-house IT department,” said Craig Moreshead, managing director at Foreside, a compliance consulting firm. “The commission will have to add more specifics to help firms figure out if something is significant or not.”

A cybersecurity rule would almost certainly require advisory firms to spend more on compliance.

Firms are going to have to have “more cyber experts on hand, either outsourced or in-house,” Moreshead said. “I can’t see smaller firms going it alone and being able to comply.”

But when firms do comply and report incidents to the SEC, it could create another problem, Joseph said.

Publicly disclosing cybersecurity risks and incidents “could itself provide a treasure trove of valuable information for bad actors who are on the prowl for information that could inform the tactics and strategies they use to inform cyber-attacks,” said Joseph, a former SEC examination official. “You have to strike the right balance in assisting firms in boosting their defenses and providing appropriate disclosures to investors while not creating any vulnerabilities for [hacker] to exploit.”

The SEC has put the proposal out for public comment for 60 days.


SEC looking at low-hanging fruit

Latest News

Farther debuts AI investment proposal tool for advisors to win clients
Farther debuts AI investment proposal tool for advisors to win clients

"Im glad to see that from a regulatory perspective, we're going to get the ability to show we're responsible [...] we'll have a little bit more freedom to innovate," Farther co-founder Brad Genser told InvestmentNews.

Barred ex-Merrill Lynch advisor arrested in alleged $2.6M theft of former Miami Dolphin Pro Bowler
Barred ex-Merrill Lynch advisor arrested in alleged $2.6M theft of former Miami Dolphin Pro Bowler

Former advisor Isaiah Williams allegedly used the stolen funds from ex-Dolphins defensive safety Reshad Jones for numerous personal expenses, according to police and court records.

Are you optimally efficient?
Are you optimally efficient?

Taking a systematic approach to three key practice areas can help advisors gain confidence, get back time, and increase their opportunities.

Advisor moves: Father-son duo leaves Raymond James for LPL, RayJay adds Merrill Lynch alum in Florida
Advisor moves: Father-son duo leaves Raymond James for LPL, RayJay adds Merrill Lynch alum in Florida

Meanwhile, Osaic lures a high-net-worth advisor from Commonwealth in the Pacific Northwest.

Beacon Pointe adds six RIAs in two-month acquisition spree, boosting AUM by $2.7B
Beacon Pointe adds six RIAs in two-month acquisition spree, boosting AUM by $2.7B

The deals, which include its first stake in Ohio, push the national women-led firm up to $47 billion in assets.

SPONSORED How advisors can build for high-net-worth complexity

Orion's Tom Wilson on delivering coordinated, high-touch service in a world where returns alone no longer set you apart.

SPONSORED RILAs bring stability, growth during volatile markets

Barely a decade old, registered index-linked annuities have quickly surged in popularity, thanks to their unique blend of protection and growth potential—an appealing option for investors looking to chart a steadier course through today's choppy market waters, says Myles Lambert, Brighthouse Financial.