The Devil Really is in the Details: The SEC Proposed Rule on Cybersecurity Risk Management for Investment Advisors, Registered Investment Companies and BDCs
Late last month the Securities and Exchange Commission (“SEC”) charged JP Morgan, UBS and Trade Station with violations of Regulation S-ID based on a range of inadequacies in their identity theft red flag policies and procedures. https://www.sec.gov/news/press-release/2022-131 The violations at issue might seem less than critical, such as not updating policies, merely copying over examples of red flags from Reg S-ID’s Appendix A, not incorporating specific policies into the red flag program, covering all accounts instead of conducting specific account assessments, and not providing sufficient detail in board reports. Although the SEC did not note any failure by these broker-dealers and investment advisors to actually detect and respond to identity theft red flags, the resulting orders and fines (up to $1.2 million), underline the SEC’s seriousness about protecting investors from cybercrime by requiring broker dealers and investment advisors to up their game and focus on the details.
This brings us back to another initiative by the SEC. Noting the lack of cybersecurity preparedness it has observed by registered investment advisers (“advisers”) and investment companies (“funds”), and the significant impact that a cybersecurity breach could have on clients and markets, the SEC proposed rules on February 9, 2022 to fill the gaps it believes are left by the current regulatory framework, such as Regulations S-P and S-ID. Entitled “Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies,” (https://www.sec.gov/rules/proposed/2022/33-11028.pdf ) the proposed rules would impose significant obligations on covered entities, including obligations to adopt and implement written cybersecurity policies and procedures containing certain elements (described below), disclose significant cybersecurity risks and incidents and amend those disclosures as needed, retain relevant records for five years, and report significant cybersecurity incidents to the SEC.