The SEC on Wednesday for the first time proposed a cybersecurity rule for registered investment advisers and investment companies.
The proposed regulation, which the Securities and Exchange Commission released for public comment on a 3-1 vote, would require advisers to adopt and implement written policies and procedures that address risks related to cyberattacks.
Under the 243-page proposed rule, advisers would have to report incidents to the agency on a confidential form and disclose major cyber breaches over the last two fiscal years on their Form ADV. It also mandates that advisers keep books and records related to cybersecurity.
The SEC drafted the cybersecurity rule at a time when cyberattacks are increasing in order to protect investors and strengthen market stability, SEC Chairman Gary Gensler said at an SEC open meeting.
“Cybersecurity incidents can lead to significant financial, operational, legal and reputational harm for advisers and funds,” Gensler said. “More importantly, they can lead to investor harm. The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.”
Over the last few years, the Securities and Exchange Commission has issued cybersecurity guidance, made the topic an examination priority and brought enforcement cases that centered on cybersecurity lapses that violated existing customer protection rules.
The proposal distills the SEC’s expectations on cyber preparedness in a stand-alone cyber rule.
SEC Commissioner Hester Peirce opposed releasing the proposal, saying it could create a foundation for enforcement against advisers who are victims of cyberattacks. She criticized an adversarial approach that might limit the ability of regulators and financial firms to work together on combatting cyber threats.
“A cyber rule that is styled as a cudgel will not facilitate such cooperation,” Peirce said during the open meeting. “A cyber policies and procedures rule may not even be necessary to foster the investments, strong cyber defenses, dialogue, communication and cooperation we seek for investment advisers and funds.”
The proposal will be open to public comment for 60 days after it’s posted on the SEC website or 30 days after it’s published in the Federal Register, whichever is longer. After reviewing the feedback, the SEC might revise the proposal before voting on a final rule.
Operational drag between an advisor signing and accounts going live is emerging as a competitive liability for wealth management firms.
Bain says companies face a "winner's paradox" as AI transformation collides with complex integrations.
Deal lifts global assets to roughly $523 billion under management.
Choice anxiety, prestige bias, and the temptation to make selections based on outsourced confidence are just some of the parallels between investing and the world of wine tasting.
Regulators found Bank of America's monitoring software had a known flaw Merrill left uncorrected for years.
Dan Biagini of American Equity says the steady decline of pensions, longer lifespans and a reset in interest rates are rewriting how advisors build retirement income
Direct indexing is on pace to outgrow ETFs and mutual funds. Northern Trust's Ken Lassner explains why the advisors who get it wish they had started sooner.
