SEC cyber rule proposal poses challenges for small advisers

SEC cyber rule proposal poses challenges for small advisers
Firms will have to beef up their ability to detect, react to and report attacks, which is easier to do if you have an IT department.
FEB 10, 2022

When it comes to cybersecurity, the financial advice sector may be a step ahead of the SEC, but a rule proposal raises the compliance stakes and could pose challenges for small advisers.

On Wednesday, the Security and Exchange Commission voted to release a proposal that would require registered investment advisers and investment companies to develop written policies and procedures to address cybersecurity risks that could harm clients or fund investors.

The proposal would require advisers to report cyberattacks to the SEC, disclose them on their Form ADV and maintain books and records related to cybersecurity.

The proposal comes after years of cybersecurity guidance from the SEC, which also has brought an enforcement case based on existing customer protection rules. The agency’s push on the topic has spurred many advisers to develop cyber policies.

But now firms, even if they have a cybersecurity response program, it will have to meet the specifics of a stand-alone SEC rule on the issue.

“It codifies what many advisers are already doing as part of their business continuity planning,” said Ken Joseph, managing director and head of U.S. financial services compliance and regulation at Kroll, a consulting firm. “If adopted, it increases the possibility of advisers being liable for breaking what would now be a new [cybersecurity] rule.”

As is the case with many regulations, it will be easier for large firms to comply. Firms will have to beef up their ability to detect, react to and report attacks, which is easier to do if they have an IT department.

“The rule will strike many advisers and funds as adding to what they’re already doing,” said Michael Birnbaum, a partner at Morrison & Foerster and a former SEC senior trial counsel. “I’m hopeful this will not add additional unnecessary burdens. If this is implemented in a heavy-handed way, it may present significant challenges, particularly for small advisers.”

One area where small firms may have trouble is in determining whether a cyber attack merits reporting to the SEC and then telling the agency within 48 hours. The proposal says any incident that poses substantial harm to clients or disruption to the business must be reported.

“It will be difficult to meet that quick turnaround time, especially for small to midsize firms that don’t have an in-house IT department,” said Craig Moreshead, managing director at Foreside, a compliance consulting firm. “The commission will have to add more specifics to help firms figure out if something is significant or not.”

A cybersecurity rule would almost certainly require advisory firms to spend more on compliance.

Firms are going to have to have “more cyber experts on hand, either outsourced or in-house,” Moreshead said. “I can’t see smaller firms going it alone and being able to comply.”

But when firms do comply and report incidents to the SEC, it could create another problem, Joseph said.

Publicly disclosing cybersecurity risks and incidents “could itself provide a treasure trove of valuable information for bad actors who are on the prowl for information that could inform the tactics and strategies they use to inform cyber-attacks,” said Joseph, a former SEC examination official. “You have to strike the right balance in assisting firms in boosting their defenses and providing appropriate disclosures to investors while not creating any vulnerabilities for [hacker] to exploit.”

The SEC has put the proposal out for public comment for 60 days.


SEC looking at low-hanging fruit

Latest News

SEC bars ex-broker who sold clients phony private equity fund
SEC bars ex-broker who sold clients phony private equity fund

Rajesh Markan earlier this year pleaded guilty to one count of criminal fraud related to his sale of fake investments to 10 clients totaling $2.9 million.

The key to attracting and retaining the next generation of advisors? Client-focused training
The key to attracting and retaining the next generation of advisors? Client-focused training

From building trust to steering through emotions and responding to client challenges, new advisors need human skills to shape the future of the advice industry.

Chuck Roberts, ex-star at Stifel, barred from the securities industry
Chuck Roberts, ex-star at Stifel, barred from the securities industry

"The outcome is correct, but it's disappointing that FINRA had ample opportunity to investigate the merits of clients' allegations in these claims, including the testimony in the three investor arbitrations with hearings," Jeff Erez, a plaintiff's attorney representing a large portion of the Stifel clients, said.

SEC to weigh ‘innovation exception’ tied to crypto, Atkins says
SEC to weigh ‘innovation exception’ tied to crypto, Atkins says

Chair also praised the passage of stablecoin legislation this week.

Brooklyn-based Maridea snaps up former LPL affiliate to expand in the Midwest
Brooklyn-based Maridea snaps up former LPL affiliate to expand in the Midwest

Maridea Wealth Management's deal in Chicago, Illinois is its first after securing a strategic investment in April.

SPONSORED How advisors can build for high-net-worth complexity

Orion's Tom Wilson on delivering coordinated, high-touch service in a world where returns alone no longer set you apart.

SPONSORED RILAs bring stability, growth during volatile markets

Barely a decade old, registered index-linked annuities have quickly surged in popularity, thanks to their unique blend of protection and growth potential—an appealing option for investors looking to chart a steadier course through today's choppy market waters, says Myles Lambert, Brighthouse Financial.