Transcription
SEC issues cyber rule proposal for advisers and fundsSEC issues cyber rule proposal for advisersand fundsOn February 9, 2022, the Securities and Exchange Commission(SEC) proposed cybersecurity risk management rules applicable toregistered investment advisers (“advisers”), registered investmentcompanies, and business development companies (collectively,“funds”). With the proposal, the SEC is launching a new chapter inits regulatory approach to cybersecurity.1 Commissioner Genslerindicated that he has requested staff to develop similar2 proposalsfor broker-dealers under Regulation Systems Compliance andIntegrity (Regulation S-P).The regulatory contextThe SEC and its staff have signaled increasing scrutiny of cyberpractices for some time. The SEC’s focus on cybersecurity hasextended for years and with particular attention to“market systems, customer data protection, disclosure of materialcybersecurity risks and incidents, and compliance with legal andregulatory obligations under federal securities laws."Over the last decade, there have been multiple risk alerts as well.3In addition, in 2020, the Division of Examinations (previouslyknown as the Office of Compliance Inspections and Examinations)(“Examinations Division”) issued a report on cybersecurity andresiliency observations at the beginning of 2020, which was basedon observations from “thousands of examinations of broker-dealers,investment advisers, clearing agencies, national securities exchangesand other SEC registrants.”4 Nevertheless, the SEC staff makes clear inthe Proposing Release that it continues to observe a lackof cybersecurity preparedness by advisers and funds, which putsclients and investors at risk.5 The SEC staff goes on to clarify thatthe existing legal and regulatory framework applicable to advisersand funds is sufficient to encompass business disruptions fromcybersecurity incidents as well as customer privacy and third-partyoversight considerations.6 With this backdrop, it is not surprising thata large component of the requirements of the proposed rules underthe Proposing Release are captured as leading practices in the 2020Examinations Report.1
SEC issues cyber rule proposal for advisers and fundsSEC cybersecurity evolution (2017–present)OCIE cybersecurity and resiliency observations 2020Developed through its examinations of thousands ofbroker-dealers, investment advisers, clearing agencies,national securities exchanges, and other SEC registrants,the OCIE provides observations to assist marketparticipants in their consideration of how to enhancecybersecurity preparedness and operational resiliency.SEC proposes rules related to cybersecurityrisk management for registered investmentadvisers, registered investment companies, andbusiness development companies (funds), aswell as amendments to certain rules that governinvestment adviser and fund disclosures.Exam prioritiesOCIE continues to prioritize cyber and other informationsecurity risks across the entire examination program.The proposed rules and amendmentsare designed to enhance cybersecuritypreparedness and could improve investorconfidence in the resiliency of advisers andfunds against cybersecurity threats and attacks.Risk alertsOCIE publishes three cybersecurity-related risk alerts;one on ransomware (July), another on safeguarding clientaccounts (September), and a third related to adviser’scompliance programs (November).2017SEC proposes cybersecurity riskmanagement rules and amendments forregistered investment advisers and funds20212020Risk alert: Observations fromcybersecurity examinationsOCIE publishes a risk alert to highlightfor firms the risks and issues thatstaff identified during examinations ofbroker-dealers, investment advisers,and investment companies regardingcybersecurity preparedness.In addition, the risk alert describes factorsthat firms may consider to: (1) assesstheir supervisory, compliance, and/orother risk management systems relatedto cybersecurity risks, and (2) make anychanges, as may be appropriate, to addressor strengthen such systems.22022Exam priorities2021 examination priorities includecybersecurity and resiliency, cyberthreatmanagement, and incident response,among other things.SEC announces three actions chargingdeficient cybersecurity proceduresSEC sanctions eight firms for violation ofRule 30(a) of Regulation S-P, also known asthe Safeguards Rule, which is designed toprotect confidential customer information;Section 206(4) of the Advisers Act and Rule206(4)-7 in connection with their breachnotifications to clients.
SEC issues cyber rule proposal for advisers and fundsThe SEC’s Division of Enforcement has also prioritized weaknessesin cyber related practices and has brought enforcement actionsover the years. Although the SEC created an enforcement unitfocused exclusively on cybersecurity in 20177, it brought its firstcybersecurity-related enforcement action in 2014.8 In 2021alone, the SEC sanctioned eight firms in three actions related totheir cybersecurity practices.9 Each of the actions pertained tocyber incidents that resulted in the exposure of client personallyidentifiable information (PII). The firms—a combination of brokerdealers and investment managers—either had not followed theirown policies or had failed to implement written policies and wererequired to pay between 200,000 and 300,000 to settle thecharges.Coinciding with this groundswell of activity at the SEC staff level, theSEC is helmed by an ambitious leader in Chairman Gensler and theCommission has approved 17 proposals put forth by the staff since thebeginning of 2022.10Summary of the rule proposalThe SEC is proposing new rules and amendments under boththe Advisers Act of 1940 (the “Advisers Act”) and the InvestmentCompany Act of 1940 (the “Investment Company Act”). Under theAdvisers Act, the SEC is proposing: (a) new rules 206(4)-9 and 204-(6),(b) amendments to rules 204(2) and 204(3), and (c) new Form ADV-Cand amendments to Form ADV. Under the Investment Company Act,the SEC is proposing new rule 38a-2 and amendments to Forms N-2,N-3, N-4, N-6 N-8B-2, and S-6.In totality, the proposal has four major components:1. Funds and advisers would be required to implement cyber riskmanagement policies and procedures.2. Advisers would be required to report significant cyber incidents,including significant incidents to the Commission within 48 hourson new Form ADV-C.3. Advisers and funds would be required to disclose cybersecurityrisks and incidents to their investors and other marketparticipants.4. Advisers and funds would be required to maintain cybersecurityrelated books and records.Policies and proceduresProposed new rules 206(4)-9 under the Advisers Act and 38a-2under the Investment Company Act would require firms to adoptand implement written policies and procedures that are reasonablydesigned to address cybersecurity risks. The proposal describes five“general elements” of cybersecurity policies and procedures thatwould be required:A. Risk assessment: Firms would be required to perform periodicassessments of cybersecurity risks associated with adviser/fund information systems and adviser/fund information residingtherein. This would mean that registrants need to implementrisk management programs to continually assess, prioritize,treat, and document risks associated with their informationsystems on a periodic basis. In addition, firms will need to takea proactive role in sharing and understanding emerging risksfrom industry/critical infrastructure groups (such as FinancialServices Information Sharing and Analysis Center (FS-ISAC) andthe Department of Homeland Security’s Cybersecurity andInfrastructure Security Agency (CISA) to strengthen industrystance and identify new risks. Specifically, firms will need to:i.Establish an inventory of information systems and implementa well-rounded approach (that considers factors suchas information handled, impact of cybersecurity-relatedincidents involving these systems to advisers/funds, etc.) tocategorize and prioritize cybersecurity risks associated withthese information systems.ii. Implement a third-party risk management (TPRM) programto establish an inventory of third parties or service providerswith access to adviser or fund information or informationsystems and determine whether the firm’s third-party risk,compliance, and performance (response and resiliency)expectations are being met throughout the third-party lifecycle. Commitment of third parties in safeguarding adviser orfund information should be ensured via written contracts andagreements during onboarding.The proposed rule also requires that advisers and funds review theirpolicies and procedures, at least annually, and produce a writtenreport of the review, which describes the review and any testsperformed as well as any incidents that occurred since the precedingreport was issued. Fund boards would be required to review thepolicies and procedures and the annual report.B. User security and access: Firms would need to design andimplement identity and access management programs formanaging access to assets and information based on roles andentitlements. To this effect, registrants will need to:i.Establish guidelines for acceptable use of adviser or fundassets and guide behavior of individuals authorized to accessadviser or fund information systems and any adviser or fundinformation residing in these systems.ii. Enforce authentication and authorization for adviser or fundinformation systems via various methods such as multi-factorauthentication, password management, identity life cyclemanagement, role-based access controls, etc. Firms wouldneed to implement role life cycle management processes(create, composition review, update, discontinue, etc.)consistently across their information systems.iii. Secure remote access technologies that are used to interfacewith adviser or fund information systems such that remoteaccess connections implement authentication, authorization,and encryption controls. Integrate remote access controlswith other security capabilities (e.g., network access control(NAC), endpoint security, firewalls, centralized securityinformation and event management (SIEM) solutions, etc.),3
SEC issues cyber rule proposal for advisers and fundsand implement security monitoring and detection capabilitiesto identify threats on the network’s endpoints.iv. Establish a security awareness and training programto help users understand their cybersecurity roles andresponsibilities. Requisite policies and standards pertainingto mobile device management, secure use of adviser or fundinformation assets, etc. will need to be disseminated.Another key aspect of the proposed rule is that advisers and fundswould need to consider implementation of external identity andaccess management, commonly referred to as customer identity andaccess management (CIAM), from a business-to-business (B2B) aswell as a business-to-customer (B2C) standpoint.C. Information protection: Funds and advisers would be requiredto establish data protection programs for secure use, processing,transmission, and storage of their information and reviewcompliance via periodic assessments. These assessments shouldconsider: Sensitivity of information If the information is personal or confidential in nature Where and how the information is accessed, stored, andtransmitted Security safeguards implemented to protect information suchas malware protection, data access, monitoring, etc. The potential impact of a cyber incident, especially on theability to provide servicesAdvisers and funds need to safeguard their sensitive data frombeing disclosed or transmitted by users either by malicious intentor inadvertent mistake. There are various security capabilities thatadvisers and funds may implement to safeguard such sensitive data.These include, but are not limited to:i.Logging and monitoring for data access or exfiltration,suspicious activity at the database layer, endpoints, andcloud. Further, monitor for sensitive information loss at theendpoints and through common network channels.ii. Identify and control access to sensitive data by cloud accesssecurity broker (CASB), data loss prevention (DLP), dataaccess governance (determine who owns, uses, and hasaccess to sensitive information), and information rightsmanagement (restrict internal and external access tosensitive information, i.e., view, edit, copy, and print).iii. Data loss prevention by scanning for sensitive informationon servers, laptops, desktops, and cloud services. Monitorand implement rules to identify and block the transmissionof sensitive data being transferred via sharing in cloud, email,and web, as well as to removable devices, and from beingcopied or printed.4D. Threat and vulnerability management: The proposalrequires advisers and funds to implement threat and vulnerabilitymanagement programs to monitor, detect, mitigate, andremediate cybersecurity threats and vulnerabilities. Vulnerabilitymanagement program should have a defined governance modelto establish accountability for handling vulnerability reports, andprocesses for intake, assignment, escalation, remediation, andremediation testing. The threat and vulnerability managementprograms will need to cover the following components:i.Vulnerability assessment and penetration testing:Registrants should establish and implement a risk-based planand approach to test for application, system, and networksecurity vulnerabilities and weaknesses. These assessmentscould include scans or reviews of internal systems, externallyfacing systems, new systems, and systems used byadvisers’ or funds’ service providers. Vulnerability scans andpenetration tests should be conducted on an ongoing basiswith no discernible start/stop point (e.g., based on threatlandscape, on demand, etc.), and testing schedules will needto be adjusted based on changes in firm’s threat landscapeand internal intelligence from security analytics.ii. Threat intelligence: Advisers and funds would needto establish threat intelligence capabilities to collect andaggregate threat information from multiple sources andleverage the information to identify new cybersecuritythreats and vulnerabilities. Threat intelligence from multiplesources (including industry and government sources)should be evaluated for credibility, relevance, and exposureand updated based on changing threat landscape andinternal requirements. Threat intelligence should be usedto continuously improve patch and vulnerability reviewprocesses.iii. Patch management: Firms should implement patchmanagement programs to acquire, test, and deploy patchesfor hardware and software vulnerabilities and maintain aprocess to track and address vulnerabilities timely.iv. Threat and vulnerability response training: Advisers andfunds would need to establish role-specific cybersecuritythreat and vulnerability and response training that includessecure system administration courses for IT professionals,vulnerability awareness and prevention training for webapplication developers, and social engineering awarenesstraining for employees and executives.E. Incident response and recovery: The proposal requires firmsto establish incident and crisis response programs to detect,respond to, and recover from cybersecurity incidents and defineformal processes for interfacing with SEC and other externalagencies to share incident-related information. The rules alsorequire the creation of written documentation of the responseto any cyber incident. This would also mean that firms back up
SEC issues cyber rule proposal for advisers and fundstheir data per defined schedules and based on business impactanalysis and recovery point objective (RPO) requirements.accurate information and to file an amendment at the completion ofthe investigation for an incident.Advisers and funds would also need to establish incidentresponse plans with detailed roles and responsibilities forrelevant stakeholders to allow them to respond in an effectivemanner during cybersecurity incidents. The plans should havea clear escalation protocol to engage the adviser’s and fund’ssenior officers, including appropriate legal and compliancepersonnel, and fund’s board (as applicable) during cybersecurityincidents. In addition, advisers and funds should test theirincident response plans through tabletop or full-scale exercises.Enhanced disclosure of cyber incidentsThe proposal makes clear that the policies and procedures mustdemonstrate adequate third-party oversight, including documentingdue diligence processes and procedures for periodic contractreview “that allow funds to assess whether, and help to ensurethat, their agreements with [third-party] service providers containprovisions that require service providers to implement and maintainappropriate measures designed to protect fund and adviserinformation and systems.”11 For example, appropriate oversightincludes inquiring about a service provider’s business continuity anddisaster recovery protocols. Additionally, advisers and funds wouldneed to document, similar to documentation of their own policiesand procedures, the security measures that they are requiringof their service providers, which should be similar to their ownmeasures. Further, the proposal describes elements of a requiredrisk assessment including classifying and prioritizing risks based onan information system’s inventory and cataloguing service providersthat process or can access adviser or fund information.Reporting of significant incidents on new FormADV-CProposed new rule 204-6 under the Advisers Act would requireregistered advisers to report any significant cybersecurity incident—including those related to private funds, registered funds, or businessdevelopment company (BDC) clients—via a new Form ADV-C within48 hours. The proposal defines a significant incident as one “thatsignificantly disrupts or degrades the adviser’s ability, or the abilityof a private fund client of the adviser, to maintain critical operations,or leads to the unauthorized access or use of adviser information,where the unauthorized access or use of such information results in:(1) substantial harm to the adviser, or (2) substantial harm to a client,or an investor in a private fund, whose information was accessed.”12Proposed Form ADV-C would contain basic information about theadviser (e.g., SEC file number, primary operating location, contactinformation, etc.), critical dates associated with the incident, itscurrent status, basic information about the nature and scopeof the incident, whether other government or law enforcemententities have been notified, and whether it may be covered under acybersecurity insurance policy.Beyond the initial 48-hour reporting window, firms also would berequired to update the form within 48 hours to reflect new or moreThe proposal would amend Form ADV Part 2A for advisers and FormN-1A through Form N-8B-2 and Form S-6 for funds. The proposalamends the Form ADV Part 2A to add a new Item 20 entitled“Cybersecurity Risks and Incidents” where advisers need to describethe cybersecurity risks that could materially affect the advisoryservices and the cybersecurity incidents occurred. The proposedamendments to Form N-1A, Form N-2, Form N-3, Form N-4, FormN-6, Form N-8B-2, and Form S-6 would require the funds to providethe cybersecurity-related disclosures and, per the amendments, todescribe any significant fund cybersecurity incidents that occurred inthe prior two fiscal years in the funds’ registration statements. Finally,the proposed amendment to the Rule 204-3(b) would require anadviser to deliver interim brochure amendments to existing clientspromptly if the adviser adds a disclosure of a cybersecurity incidentto its brochure or materially revises information already disclosed inits brochure about such an incident. These disclosures are requiredto be made via inline XBRL.Recordkeeping requirementsFor advisers, proposed new recordkeeping requirements underAdvisers Act Rule 204 would require advisers to retain: Five years’ worth of cybersecurity policies and procedures with thefirst two years’ records in an easily accessible place Copies of a written annual review of the adviser’s cybersecuritypolicies and procedures for each of the preceding five years Copies of all Form ADV-C filings in previous five years Records related to the response to and recovery from anycybersecurity incident in previous five years Five years’ worth of cybersecurity risk assessmentsFor funds, proposed new recordkeeping requirements under theInvestment Company Act Rule 38a-2 would require funds to retain: Five years’ worth of cybersecurity policies and procedures Copies of written cybersecurity reports provided to the fund’sboard Documentation of annual review of the fund’s cybersecuritypolicies and procedures Copies of all Form ADV-C filings provided to the Commission by thefund’s adviser in previous five years Records related to the response to and recovery from anycybersecurity incident in previous five years Cybersecurity risk assessments for five years following theassessment5
SEC issues cyber rule proposal for advisers and fundsImplications of the proposalThe proposal raises a host of considerations for advisers and fundsregarding their cybersecurity practices. Some actions for firms toconsider: Elevate the governance of cyber risk management: The rule proposalwill necessitate closer collaboration between CISOs and CCOs.For firms that don’t have a board subcommittee dedicated tocybersecurity, now may be a good time to organize one. Conduct a gap assessment of cyber program against leadingpractices and regulatory expectations: Firms should conduct a gapassessment to baseline their cybersecurity program maturity andidentify improvement areas. Firms that have not already doneso should review the areas highlighted in the 2020 ExaminationsReport staff report, which identifies seven areas of focus for firms,all of which are implicated in the Proposing Release. The gapassessment should also incorporate a mapping of current practicesto the existing legal and regulatory framework as described by theSEC staff in the Proposing Release. Accelerate the timeline for enhancing your cyber core: A minimumbaseline of cybersecurity program maturity is essential to managerisks. The specter of regulatory imperative can be a powerfulmotivator for funding delayed projects. Identify a team with primary responsibility for cyber compliance:Firms are increasingly adopting specialized and deeply skilled6groups to manage cyber risks. The proposal affirmatively statesthat advisers will have the flexibility to self-identify the groupresponsible for cybersecurity oversight as it pertains to the rule,which may be a combination of compliance and IT professionals aswell as third-party service providers. Conduct tabletop exercises: Firms should have the ability to handlecritical incidents, quickly return to normal operations, and repairdamage to the business. To this effect, firms need to review theirincident response preparedness by engaging in cyber wargamingand other tabletop exercises to measure the efficacy of theirincident and crisis response capabilities.The proposal does not constitute a final rule, and the SEC is solicitingcomments, including on whether the changes are too prescriptive (orconversely not prescriptive enough) as currently designed. As withmany regulatory proposals, market participants are likely in variousstates of preparedness. This proposal is an opportunity for firmsthat are lagging in their cyber practices to step up and acceleratetheir pace of investment ahead of final regulatory mandates andconsequences. Given heightened cyberthreats, advisers’ status asfiduciaries, and increasing regulatory expectations, the time is rightfor firms to elevate their cybersecurity efforts and embrace leadingpractices as outlined in the 2020 Examinations Report, regardless ofwhether the proposed rules are implemented as proposed.
SEC issues cyber rule proposal for advisers and fundsAppendixTable of actions for advisers and funds to consider Engage senior leaders other than CISO, including CCO and othersGovernance andrisk management Develop a risk assessment model Adopt and implement written policies and procedures Test policies and procedures to ensure their effectiveness Develop internal and external communication plans for a cyber event Identify and categorize information residing within their systemsUser security andaccess Map user access to systems and data Implement strong password standards and multifactor authentication Develop policies to limit user access as appropriate, separate duties for access approval, andrecertify access on a periodic basis Monitor user access including failed login attempts and access anomaliesInformationprotection Enact a vulnerability management program to routinely scan for weakness in code, applications,servers, and databases Control, monitor, and inspect all incoming and outgoing network traffic Develop capabilities to detect threats on end points Manage use of mobile devices and implement protection planThreat andvulnerabilitymanagementIncident response Catalogue vendor relationships and implement a vendor relationship management program Conduct trainings to increase knowledge and awareness of cyberthreats among staff andleadership Establish a framework for determining materiality classification for cyber incidents Develop a plan for escalation and communication, including reporting requirements Assign key owners of the plan and test it via war games, etc.7
SEC issues cyber rule proposal for advisers and fundsContactsMaria GattusoNajeh AdibPrincipal Deloitte & Touche LLPSenior Manager Deloitte & Touche LLPmgattuso@deloitte.comnadib@deloitte.com 1 203 423 4445 1 212 436 5750Bruce TreffMeghan BurnsManaging Director Deloitte & Touche LLPManager Deloitte & Touche LLPbtreff@deloitte.commegburns@deloitte.com 1 617 437 3087 1 202 220 2780Nitin PandeyManaging Director Deloitte & Touche LLPnpandey@deloitte.com 1 212 436 72158
SEC issues cyber rule proposal for advisers and fundsEndnotes1.Securities and Exchange Commission (SEC), “SEC proposes cybersecurity risk management rules and amendments for registered investment advisers and funds,”press release 2022-20, February 9, 2022 (the release hereafter referred to as the “Proposing Release”).2.SEC Chair Gary Gensler “Statement on Proposal for Mandatory Cybersecurity Disclosures,” March 9, 2022.3.SEC, “Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies and Business Development Companies,” February 9, 2022.4.SEC Office of Compliance Inspections and Examinations (OCIE), “Cybersecurity and Resiliency Observations,” January 27, 2020 (the “2020 Examinations Report”).5.Ibid, p. 8.6.Ibid, p. 9.7.SEC Office of Compliance Inspections and Examinations (OCIE), “Cybersecurity and Resiliency Observations,” January 27, 2020 (the “2020 Examinations Report”).8.SEC, “Crypto Asset and Cyber Enforcement Actions”, accessed May 2022.9.SEC, “SEC announces three actions charging deficient cybersecurity procedures,” press releasee 2021-169, August 30, 2021.10. On March 9, 2022, the SEC approved a separate rule proposal requiring cyber incident disclosures by all public companies.11. SEC, 17 C.F.R. Parts 230, 232, 239, 270, 274, 275, and 279, p. 27, accessed April 2022.12. Ibid, pp. 42–43.9
SEC issues cyber rule proposal for advisers and fundsThis publication contains general information only and Deloitte is not, by means ofthis publication, rendering accounting, business, financial, investment, legal, tax, orother professional advice or services. This publication is not a substitute for suchprofessional advice or services, nor should it be used as a basis for any decisionor action that may affect your business. Before making any decision or taking anyaction that may affect your business, you should consult a qualified professionaladvisor. Deloitte shall not be responsible for any loss sustained by any person whorelies on this publication.About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK privatecompany limited by guarantee (“DTTL”), its network of member firms, and theirrelated entities. DTTL and each of its member firms are legally separate andindependent entities. DTTL (also referred to as “Deloitte Global”) does not provideservices to clients. In the United States, Deloitte refers to one or more of the USmember firms of DTTL, their related entities that operate using the “Deloitte”name in the United States and their respective affiliates. Certain services may notbe available to attest clients under the rules and regulations of public accounting.Please see www.deloitte.com/about to learn more about our global network ofmember firms.Copyright 2022 Deloitte Development LLC. All rights reserved.
In totality, the proposal has four major components: 1. Funds and advisers would be required to implement cyber risk management policies and procedures. 2. Advisers would be required to report significant cyber incidents, including significant incidents to the Commission within 48 hours on new Form ADV-C. 3.
