FA Magazine September 2023 | Page 15

THE BIG PICTURE

Mark Hurley & Brian Hamburger

The SEC Is About To Rock Your World

The bar for cybersecurity compliance is about to get much higher .

T

HE SEC IS ABOUT TO UPEND YOUR FIRM WHEN IT COMES to cybersecurity .
Last year , the agency proposed a series of new rules , heading toward approval likely later this year . Although not yet final , they are going to shake up the ways RIAs run their businesses .
The agency has been talking about cybersecurity for some time . A decade ago , it promulgated an identity theft rule , Regulation S-ID , an expansion of rules issued more than 20 years ago obligating wealth managers to come up with procedures to protect customer records and information against threats . Last year , the SEC took enforcement actions against three large organizations , JPMorgan , UBS and TradeStation , for violating these rules .
The new rules would go much further . The SEC is worried about the “ efficacy ” of “ industry-wide practices ,” the inadequacy of “ disclosures to advisory clients ” about cyber risks , and potential “ insider ” threats . The commission also says meeting fiduciary duties requires taking steps to “ minimize cybersecurity risks ” and that , while cybersecurity spending may seem “ considerable ,” “ it may nonetheless be inadequate .” More simply , protecting client data and assets is synonymous with acting in the best interest of clients .
The proposed rules would require RIAs to :
• Adopt written policies and procedures that are “ reasonably designed to address cybersecurity risks ”;
• Conduct an annual written assessment of cybersecurity risks ;
• Self-report any cybersecurity incidents or breaches within 48 hours ;
• Promptly disclose cybersecurity incidents to clients ; and
SEPTEMBER 2023 | FINANCIAL ADVISOR MAGAZINE | 13