SEC Cybersecurity Rule Changes: The Straight Path to Now

This blog was originally published by Agio on April 4, 2022 here.

Written by Kirk Samuels, Executive Director, Cybersecurity, Agio.

On February 9th, 2022 the United States Securities and Exchange Commission (SEC) proposed new rules related to cybersecurity risk management and disclosures for registered investment advisers, registered investment companies, and funds. For those that have been paying attention, this proposal and its details are no surprise. For nearly eight years the SEC Division of Examinations (The Division, formerly the Office of Compliance Inspections and Examinations (OCIE)) has been communicating gaps in cybersecurity governance they observed in their examinations and the corresponding risks these gaps pose to investors.

Many RIAs and funds saw this coming in 2014, the moment SEC signaled it was serious about cyber. Although the 2014 alerts from the SEC were not “requirements,” it was clear these established the path to tightening security and protecting investor data and their investments from cyber-attacks.

This was the start of the marathon run to SEC compliance and cybersecurity best practices. Some firms were in good shape and only needed specialized coaching to get them past the last few miles. Others were behind the starting line but knew now was the time to get moving. Others waited months or years to start but eventually got running to meet their goal.

2014: The Marathon Mapped for Cybersecurity Risk Management

The race toward real cybersecurity for RIAs and funds started in 2014 when the SEC OCIE (now The Division) began mapping the course for cybersecurity risk for registrants with its first Risk Alert to call out cybersecurity gaps and launch the OCIE Cybersecurity Initiative .

The 2014 Risk Alert addressing cybersecurity contained a sample list of requests for information OCIE may make regarding cybersecurity matters. This was broken down into six high level categories and further down into 28 “areas of interest” (as we at Agio refer to them) they prioritized for initial focus. The six broad categories are:

1. Identification of Risks and Cybersecurity Governance
2. Protection of Firm Networks and Information
3. Risks Associated with Remote Customer Access and Funds Transfer Requests
4. Risks Associated with Vendors and Other Third Parties
5. Detection of Unauthorized Activity
6. Other

The common theme throughout these categories is risk. Through its examinations it was clear to the OCIE that firms did not have a full understanding of the risk that gaps in their cybersecurity policies and procedures posed to the firms and to their investors. This was evidenced by either lack of policies and procedures in key areas, or policies that were in place without corresponding procedures being carried out.

2015-2021: Later Risk Alerts and Observations

Over the next six years OCIE continued to publish alerts of the cyber threats they saw impacting firms and investors and refined the details firms should include in their cybersecurity risk management. All of the six high level categories held true, but additional specific controls were added or emphasized based on breaches that had occurred. These included:

• Password policies to strengthen password uniqueness, complexity, and age.
• Multifactor authentication for all external access and for all users and third parties as well as risks of SMS/text message MFA.
• Incident response and resiliency. In the 2014 Risk Alert protection and detection were the focus, but as more firms and organizations were successfully breached the need to swiftly respond and recover from them became critical as a means to reduce their overall impact. These efforts included periodically testing incident response, disaster recovery, and business continuity plans especially having reliable, tested, and protected backups.
• Training and awareness. User actions and errors continue to be the main point of entry for most cyber-attacks. Employees and third parties need to understand their roles and what to look out for on the cyber front.
• Vendor monitoring and testing. This was a top priority from the start but grew in priority as more firms were breached or had significant business disruption due to their third-party service providers. OCIE spelled out the need to fully understand vendor relationships including rights, responsibilities, and expectations due to false assumptions firms had made regarding what security controls their vendors were responsible for.
• Data loss prevention (DLP). OCIE includes several types of security controls under DLP including vulnerability scanning and patch management, perimeter security, detective security, hardware/software inventories, encryption, and network segmentation.
• Senior leadership engagement. Cybersecurity risk and resiliency require attention at the board and senior leadership levels. OCIE identified that lapses in leadership engagement contributed to breaches of customer and client data and later to SEC fines imposed on brokerage firms in 2021.

2022 and Beyond

Last month the SEC proposed new cybersecurity rules which very likely will be finalized before the end of 2022. Although there may be some changes to the specifics, the overall requirement will remain clear:

“Adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risk.”

In addition to SEC requirements, new federal laws passed this month requiring covered entities to report breaches and ransomware attacks signal increasing urgency and pressure from lawmakers to make cybersecurity a priority across the U.S. Furthermore, on March 21st, 2022 the White House published a statement in which President Biden urged private sectors to harden their cyber defenses immediately. On other fronts, more and more firms are including cybersecurity into their environmental, social and governance (ESG) frameworks due to increasing investor demand. The need to focus on cybersecurity risk will not go away.