Since uncertainty still surrounds the Securities and Exchange Commission’s pending cyber risk management rules for registered investment advisers, Xantrion CTO, Christian Kelly, attended the recent 2024 Investment Adviser Compliance Conference, which included remarks from SEC officials. Unfortunately, those officials were limited in how much they could share since the rules have yet to be finalized.
The uncertainty notwithstanding, what is clear is that there are measures that firms can take right now to be prepared when the SEC does adopt a new risk management regulatory regime. Based on our own work in cybersecurity compliance and the latest guidance offered by commission officials, here’s what we recommend:
- Prepare a process to allow the timely collection of information on cybersecurity incidents. (We suggest the process be enshrined in an incident response plan, also known as an IRP.) The SEC’s proposed rules would mandate the reporting of incidents to the commission within 48 hours on a new proposed form, but for now, it’s unclear exactly what level of detail will be required of those reports. Should the commission ultimately err on the side of minimum detail, they will still likely require some basics, such as the date of the incident, whether any data was stolen, and whether the firm’s critical operations were affected.
- Establish or update cybersecurity risk management policies. Even without pressure from the SEC, managing cybersecurity risk should be a priority for any business. Cyberthreats are growing in both frequency and sophistication, thanks in part to sophisticated AI-powered schemes and malware. The SEC, for its part, is proposing a set of requirements that firms’ cybersecurity risk management programs should meet to help minimize the threat of disruption from modern cybersecurity threats.
- Confirm your partners and vendors have their own rigorous cybersecurity risk management programs. Under the SEC’s proposal, firms would be required to demonstrate oversight of critical third-party service providers. This will prove much easier to do if your service provider is already proactive on the cybersecurity front. A vendor that takes a lackadaisical approach to cybersecurity may not be one you want to continue doing business with.
- Identify your go-to team for cyber-compliance. The proposed rules would require advisers and funds to identify a group of individuals responsible for cyber-rule compliance. This group could include compliance and IT specialists and third-party service providers, such as managed service providers (MSPs).
- Choose an MSP that has the right qualifications to help you comply with the new rules and manage cybersecurity risk. An MSP can help RIAs and funds with everything from building cybersecurity risk management policies to gathering data on an incident in real time. But it has to be the right MSP. For highly regulated industries, including the financial industry, choosing the right MSP is critical. Some MSPs have little experience with the regulatory aspects of the industry; some don’t meet major compliance standards for their own businesses, like SOC-2. At Xantrion, we’re proud of our work expertly serving financial services clients and guiding them through evolving SEC regulations—guidance that, these days, is more critical than ever.
If you are looking for experienced cybersecurity partners to help you prepare for compliance with the pending SEC cyber risk management rules, Xantrion is here to help. Contact us today to learn more.