How advisors should prepare for new cybersecurity rules

The Securities and Exchange Commission wants advisors to take a closer look at cybersecurity risks.

In February, the SEC proposed rules that would require advisors to periodically assess their information systems and categorize cybersecurity risks, report significant cybersecurity events within 48 hours, and ensure client information is protected by third-party vendors. 

The pending rule is designed to protect investors and bolster confidence, with Commission chair Gary Gensler stating the agency is working to improve the ‘resiliency of our registrants’ given the evolving risk landscape. The public comment period for the rules has closed, and RIAs are still waiting for a final rule from the SEC. 

The proposal ‘provides a very detailed roadmap for what sort of compliance needs to happen, and the SEC is really laying out what its expectations are,’ Karin McGinnis, co-head of privacy and data security at the law firm Moore & Van Allen, told Citywire. 

The SEC has also bolstered its cyber enforcement staff this year, doubling the size of its newly renamed Crypto Assets and Cyber Unit (formerly simply the Cyber Unit) to 50 dedicated positions in May. 

Two months later, in its lone enforcement action related to cybersecurity controls, the SEC penalized three firms for deficiencies in their identity theft prevention programs under Regulation S-ID. 

Other existing rules, like Regulation S-P, mandate written policies to protect customer records. Yet McGinnis noted that S-P does not require a detailed cybersecurity plan or reporting to government regulators.  SOURCE