Mark Hurley & Brian Hamburger
Mark Hurley & Brian Hamburger
THE BIG PICTURE
• Disclose the cybersecurity risks they face , and how they “ assess , prioritize , and address ” them .
Notably , the SEC also asked for comments about whether industry participants should be required to have a chief information security officer and how “ best industry practices ” should be defined .
The new rules will likely change the way the SEC interacts with its registrants . It currently does so through somewhat regular examinations , but there are large gaps between these . The new rules would require RIAs to immediately self-report any material cybersecurity breach , regardless of whether any client information or assets were stolen .
The firm involved should expect a call or visit from regulators shortly thereafter for a targeted review of its cybersecurity policies and procedures . The examination ’ s starting point is that the firm was breached — and thus its cybersecurity proved inadequate , placing it at risk of an enforcement action .
The rules will also change advisors ’ disclosures to clients about cyber risks . Today , such disclosures are largely non-existent . Few industry participants ever explain to clients that the custodians and brokerages they use and recommend often require the client to bear a preponderance of risk from any cyber theft loss . Nor do RIAs disclose the cyber counterparty risks involved in using their services and that , should the firm be breached , client assets and information could be stolen .
Under the new rules , RIAs will be obligated to disclose this — and much more . Firms are going to have to explain , in writing , what they are doing to protect client information and assets against cyber theft and , despite these precautions ,
Under the new rules ... if a firm is breached , it will have to make additional , embarrassing disclosures to all its current and future clients . For a profession that relies on client trust , this would be a devastating blow .
the many risks that remain . If a firm is breached , it will have to make additional , embarrassing disclosures to all its current and future clients . For a profession that relies on client trust , this would be a devastating blow .
No one is clear on how the new rules will be enforced . In the event of a breach , the SEC will likely carefully review a firm ’ s earlier annual self-assessment of cybersecurity risks and the steps taken by management to address them . Additionally , although the proposed rules do not dictate specifically what a firm should do for protection — in no small part because such prescriptions would quickly be- come obsolete — the regulators also will likely closely examine whether the firm has followed the industry ’ s “ best practices ” on cybersecurity .
What that means precisely remains unclear . It clearly involves spending a lot more money on cybersecurity . The largest and most equipped firms will likely set the bar for the SEC ’ s expectations . Smaller entities will need to rely on scalable solutions and be better at informing clients . Moreover , like technology , these standards are never static and will evolve as more firms are breached and as threats change , forcing wealth managers to spend even more .
The SEC has not yet taken a position that industry participants must absolutely appoint a chief information security officer , also called a CISO , to manage cybersecurity risks , but this requirement would be consistent with its past practices . The agency has previously mandated that firms appoint a chief compliance officer , someone who could balance an organization ’ s conflicting desires to both maximize profits and meet regulatory obligations . There is a similar conflict now — a firm ’ s desire for ease of access to information contrasting with its need for robust digital protection .
Meanwhile , cybercriminals are innovating at a ferocious rate . With the use of AI-software , they can even clone voices . They are aggressively and openly copying passcodes for devices in public places and stealing them . And not a day goes by that we don ’ t discover new malware they ’ ve created .
As they develop new tactics and methods , many in the financial services industry remain asleep at the wheel , doing little to reduce risks . Even those who have stepped up their cyber defenses will likely find out that they remain unchallenging to determined cybercriminals . Soon this reality will come up against the expectations and power of regulators .
MARK HURLEY is CEO of Digital Privacy & Protection ( dpripro . com ). BRIAN HAMBURGER is President & CEO of MarketCounsel Consulting ( marketcounsel . com ) and Chief Counsel of the Hamburger Law Firm ( hamburgerlaw . com ).
14 | FINANCIAL ADVISOR MAGAZINE | SEPTEMBER 2023 WWW . FA-MAG . COM