Mark Hurley & Brian Hamburger

The bar for cybersecurity compliance is about to get much higher .

HE SEC IS ABOUT TO UPEND YOUR FIRM WHEN IT COMES to cybersecurity .

Last year , the agency proposed a series of new rules , heading toward approval likely later this year . Although not yet final , they are going to shake up the ways RIAs run their businesses .

The agency has been talking about cybersecurity for some time . A decade ago , it promulgated an identity theft rule , Regulation S-ID , an expansion of rules issued more than 20 years ago obligating wealth managers to come up with procedures to protect customer records and information against threats . Last year , the SEC took enforcement actions against three large organizations , JPMorgan , UBS and TradeStation , for violating these rules .

The new rules would go much further . The SEC is worried about the “ efficacy ” of “ industry-wide practices ,” the inadequacy of “ disclosures to advisory clients ” about cyber risks , and potential “ insider ” threats . The commission also says meeting fiduciary duties requires taking steps to “ minimize cybersecurity risks ” and that , while cybersecurity spending may seem “ considerable ,” “ it may nonetheless be inadequate .” More simply , protecting client data and assets is synonymous with acting in the best interest of clients .

The proposed rules would require RIAs to :

• Adopt written policies and procedures that are “ reasonably designed to address cybersecurity risks ”;

• Conduct an annual written assessment of cybersecurity risks ;

• Self-report any cybersecurity incidents or breaches within 48 hours ;

• Promptly disclose cybersecurity incidents to clients ; and

SEPTEMBER 2023 | FINANCIAL ADVISOR MAGAZINE | 13