Financial regulators proposed long-awaited cybersecurity rules for investment funds and advisers last week that would require thousands of companies to report cyberattacks within 48 hours.
Under the proposals made public Wednesday, the U.S. Securities and Exchange Commission said funds and registered investment advisers must develop written policies and procedures for dealing with cybersecurity incidents, and keep detailed records on them. Significant events should be disclosed to investors and reported to regulators, the agency said.
While the SEC has included elements of cyber guidance in other rules—notably Regulation Systems Compliance and Integrity, and its Identity Theft Red Flags Rule, known as Regulation S-ID—this is the first time it has specifically detailed the cybersecurity preparations it expects from advisers and funds.
“Most credible investment advisers already have something in place, it’s part of their business-continuity planning, and part of their disaster and crisis management plan,” said
Ken Joseph,
a managing director in consulting firm Kroll Holdings Inc.’s financial services compliance and regulation practice.
Mr. Joseph, who worked as an SEC investigator for 21 years before joining Kroll, said the real change in the regulator’s approach is the requirement that advisers report major cyber incidents within 48 hours.
“If the rule is adopted as written, they will also have to disclose that risk publicly to actual and potential clients,” he said. The proposed rules state that funds must disclose any “significant cybersecurity incidents” from the past two fiscal years on brochures and regulatory filings.
How the SEC defines “significant” remains a key question, said
Kelly Koscuiszka,
a partner at New York law firm Schulte Roth & Zabel LLP.
“It depends on what the trigger is,” she said.
In the proposed rules, the SEC describes a significant incident as one that prevents an adviser or fund from carrying out critical operations, such as processing transactions, and says the reporting obligation kicks in after a company has a “reasonable basis” to conclude that a cyber event is occurring. The SEC also classifies data breaches as significant events, and is asking for public comment on its definitions.
The new rules place much of the onus for cybersecurity preparations, record-keeping and reporting specifically on advisers, even if they use outsourced technology providers. Under the proposal, funds must ensure their third-party technology suppliers comply with the new rules.
SolarWinds headquarters in Austin, Texas.
Photo:
suzanne cordeiro/Agence France-Presse/Getty Images
“It actually makes our life a little easier,” said
George Ralph,
global managing director and chief risk officer at RFA Inc., which provides technology services to financial companies. “This is what we often tell people they should be doing, and now the SEC is saying it.”
The proposal is the latest cybersecurity-focused action by the agency.
In September, the SEC reached a $10 million settlement with analytics firm App Annie Inc. over securities fraud charges, alleging the company misled mobile app developers on its privacy controls. App Annie didn’t admit to wrongdoing as part of the deal. The SEC’s action, however, suggested it would be looking more closely at the third-party data providers that investors increasingly rely on to make trades.
In August, the SEC sanctioned three investment firms after hackers broke into email accounts, gaining access to personal data.
And last year the SEC launched an investigation of the breach of several federal agencies and dozens of U.S. companies through a compromised software update from
SolarWinds Corp.
U.S. officials only learned of the incident after
Mandiant Inc.,
a cybersecurity firm then known as FireEye Inc., reported that it had been hacked.
Gary Gensler, chairman of the SEC.
Photo:
EVELYN HOCKSTEIN/REUTERS
In the ensuing SEC probe, “A lot of the questions were focused on how you learn about cyber events as a victim, and how these things are reported,” Ms. Koscuiszka commented.
Last year, the Biden administration rolled out first-of-their-kind cyber incident reporting requirements for pipelines, where operators must disclose certain hacks within 12 hours, and rail operators, which have a 24-hour deadline. Agencies such as the Federal Trade Commission and Federal Communications Commission, meanwhile, have moved to police companies’ data usage by exploring new regulations or enforcing existing standards more aggressively.
Despite those efforts, attempts by lawmakers to include hack-reporting mandates in the U.S. defense budget in December failed. Last week, however, Sens. Gary Peters (D., Mich.) and Rob Portman (R., Ohio) introduced a new package of proposed laws that include breach-reporting mandates.
Last Tuesday, a group of senators including
Angus King
(I., Maine),
Mark Warner
(D., Va.),
Jack Reed
(D., R.I.),
Susan Collins
(R., Maine),
Kevin Cramer
(R., N.D.),
Catherine Cortez Masto
(D., Nev.) and
Ron Wyden
(D. Ore.) wrote SEC chairman
Gary Gensler
urging the agency to propose breach-reporting rules in coordination with National Cyber Director
Chris Inglis.
Mr. Gensler has stated on a number of occasions in recent months that new cybersecurity rules were forthcoming.
“Investors deserve a clear understanding of whether companies and investment managers are prioritizing cybersecurity. They also have a right to prompt notification of serious cybersecurity incidents,” the senators wrote.
—David Uberti contributed to this article
Write to James Rundle at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.
