The Securities and Exchange Commission may soon have a heavier hand in registered investment advisor firms' cybersecurity policies.

The SEC voted last month to propose rules related to cybersecurity risk management for RIA firms and registered investment companies and funds.

The regulator wants to be more prescriptive when it comes to cybersecurity, according to Ivan Barretto, founder and managing partner at consulting firm RIA Compliance Concepts.

"The SEC has always taken that approach where they want you to customize it based on your firm, but now they're getting down to the nitty-gritty and actually asking for certain things to be done across the board, whether you're a one-person operation or a 200-person operation," Barretto said last month at a webinar hosted by cybersecurity and information technology management solutions firm RightSize Solutions.

The regulator wants RIA firms to know their responsibilities, according to Wes Stillman, chief executive officer of RightSize Solutions.

"They're saying, 'Hey, your obligation as an RIA is to protect your clients' interest which includes minimizing risk that could lead to operational disruptions or loss or theft of clients' personal information,'" Stillman said at the webinar.

If the proposed rules go into effect, RIA firms would likely see their expenses increase, according to RIA Compliance Concepts' Barretto.

"The biggest thing is cost-wise — the cost of doing a cybersecurity assessment, the cost of procuring cybersecurity insurance premiums and so forth, that's going to go up," Barretto said. "The best thing I can advise most firms is start putting something in your budget to address this."

The specific proposed rule that firms disclose in their brochures and registration statements cybersecurity risks and incidents that occurred in the last two fiscal years could be particularly onerous, according to RightSize Solutions' Stillman.

"The idea that you have to hang on to these things for a certain timeframe, like five years, that's going to change some of the processes and policies that you have in place today. One of the big impacts is, 'Now what do I need to save, and for how long?' I think the proposed requirement of any cybersecurity event occurring within the last two years implies that you have to save all of that," Stillman said.

Nevertheless, the burden on a firm's head of compliance may be less than expected, according to RIA Compliance Concepts' Barretto.

"The compliance person that's responsible for this, at the very least they have to understand what their infrastructure looks like and what's being done to protect it, but not necessarily become IT or cybersecurity experts," Barretto said.

"Vendor management is key and understanding how you're working with your vendors to do what you need to do to be compliant with this new, amended rule," he added.

With the rules simply being proposed at this point, Barretto and Stillman agreed that there's no need for RIA firms to make changes right now.

"It's good to get on the page of being proactive, but I wouldn't implement anything until they finalize the rule," Barretto said.

"It's just proposed at this point," Stillman added.

SEC Proposals

The proposed cybersecurity risk management rules would require advisors and funds to:

  • Adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks that could harm advisory clients and fund investors;
  • Report significant cybersecurity incidents affecting the advisor or its fund or private fund clients to the Commission on a new confidential form;
  • Publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in their brochures and registration statements; and
  • Comply with new recordkeeping requirements designed to improve the availability of cybersecurity-related information and help facilitate the SEC's inspection and enforcement capabilities.

Do you have a news tip you'd like to share with FA-IQ? Email us at editorial@financialadvisoriq.com.