SEC Cyber Rule Generates Concern Among Industry Experts
Author: E.J. Yerzak, Director, Cyber IT Services, CSS, a Confluence company
The dust has barely settled on the U.S. Securities and Exchange Commission’s proposed cybersecurity risk management rules for investment advisers and investment companies. That hasn’t stopped financial industry experts and compliance practitioners from expressing concern about the rules and whether they will actually help mitigate the growing number of cyber threats facing financial firms.
On September 20, 2022, Confluence hosted a live discussion, “Unpacking the SEC Cybersecurity Rules and Impacts,” with a group of esteemed practitioners who shared their views on the proposed rules. Moderated by Confluence’s Director of Cyber IT Services, E.J. Yerzak, the discussion featured a power panel of collective industry knowledge featuring Laura Grossman (Associate General Counsel of the Investment Adviser Association), Desiree Moore
(Partner at K&L Gates and founding member and co-lead of K&L’s Digital Crisis Planning and Response group), and Adan Araujo (Chief Compliance Officer of Jasper Ridge Partners and former Senior Counsel at the SEC’s Division of Enforcement).
Confluence was pleased to welcome the panel for an insightful and lively discussion on the potential impacts of the proposed cyber rules. Leading things off, Grossman conveyed the IAA’s stance on the proposed regulation by walking through various points expressed in the IAA’s comment letter submitted to the SEC. While the IAA generally supported the rationale behind the rulemaking – that is, to improve cybersecurity among registrants and protect investors – Grossman noted that the forty-eight-hour incident reporting timeframe appeared quite burdensome, particularly for smaller advisers.
Araujo echoed that concern, explaining that when a firm is in the midst of responding to an incident, its energy and attention are devoted to the immediate crisis at hand. Having to divert some of those resources to file a report with the SEC before a complete picture is known about the incident can be challenging to many firms. It seemed questionable whether the SEC has the present capabilities to do anything useful with the incident reporting to possibly alert other firms to similar attack vectors, although the panel conceded that some information sharing would be beneficial.
Is the SEC’s cyber rule proposal too little too late, or does it come at a critical time for the financial industry? Moore shared her perspectives that the interplay of various state and federal breach reporting requirements, as well as the fact that multiple agencies are exerting their jurisdiction over cyber with sometimes competing sets of requirements, can be a challenging maze to navigate without the help of outside experts. Moore reminded the audience of the importance of preserving claims of privilege for communications surrounding incident response. Grossman added that it is equally important to conduct cybersecurity risk assessments to avoid an incident in the first place hopefully.
On the other hand, the panel acknowledged that the SEC felt it had good reasons to propose its cyber rules. It seems that the agency was not satisfied with the collective state of cyber preparation across the industry, as numerous risk alerts over the last several years continue to find significant weaknesses in cyber controls among registrants. The SEC seems to have recognized that notwithstanding existing rules such as Regulation S-P and S-ID that touch on cyber, perhaps the principles-based approach was leaving too much room for interpretation. In fact, even this week, the SEC brought another enforcement action for alleged failures by a dual registrant to securely sanitize media containing client personal information before disposing of numerous hard drives and equipment.
The good news? The SEC’s cyber rule is still awaiting final action by the agency. It remains to be seen whether the rule will be adopted entirely as proposed or what tweaks may find their way into the final version. And as Araujo pointed out, firms should address cyber risk because it makes business sense to do so. He’s absolutely right. A cyber breach is bad for business. Cyber risk is business risk. And financial firms are well-advised to get their cyber act together well in advance of an incident. If you wait until an incident happens to start assessing your cyber preparedness, Araujo cautioned, “it’s too late.”
Disclaimer: The information contained in this communication is for informational purposes only. Confluence/StatPro is not providing, legal, financial, accounting, compliance or other similar services or advice through this communication. Recipients of this communication are responsible for understanding the regulatory and legal requirements applicable to their business
Subscribe today and receive our latest industry updates and articles.
You may unsubscribe at anytime with our simple “unsubscribe” link at the bottom of each communication. Please see our privacy notices below for further information, including a list of affiliates covered by this consent.