Apparently, the ever-increasing complexity and number of cybersecurity threats faced by the IAs or the Investment Advisers has rekindled special interest by the SEC, the United States Securities and Exchange Commission.
The innovative perspective on cyber security ceases to look at the former as a mere information technology vulnerability. Rather, cyber security is currently being viewed as the most attention-worthy challenge that can have much wider business, operational, regulatory and risk impacts for insurance advisers.
In a noteworthy development, the SEC, Security and Exchanges Commission, has proposed innovative cyber security risk assessment rules that are oriented towards investment advisers. These directives are also applicable to breach management and record keeping with respect to cyber security.
In February 2023, the SEC finalized new rules under the 1940 Investment Advisers Act and 1940 Investment Company Act.
These rules, if implemented would make it compulsory for funds and investment advisors to adopt and implement written policies with respect to cyber security. The directive also makes it compulsory for advisers to report directly about certain events with respect to cyber security directly to the commission through newly created forms. Such information would be kept private with the SEC. Neither the public nor the clients would be aware of it.
Yet another important aspect about the newly proposed rules is that any critical cyber security event is to be reported through registration forms and ADV forms. The mention here is towards cyber security events that took place during the last two fiscal years.
Lastly, the rule proposal also throws light on some other features with respect to recordkeeping requirements with respect to cyber security. As per the SEC, these rules are crucial to support the commission’s examination and enforcement abilities.