New Cybersecurity Rules for Financial Advisors: What You Need to Know

While no company can reasonably be expected to fully eliminate risk, #financialadvisors are typically held to a higher standard for protecting data since they deal directly with client funds. These standards are always evolving; last month, the SEC proposed a?new set of cybersecurity rules and requirements?that could have major implications for the way advisors work.?

In this post, we’ll look at these changes and what they could mean for you.

Proposed Rule #1: Risk Management

The first?proposed cybersecurity rule from the SEC requires all firms to “adopt and implement policies and procedures that are reasonably designed to address cybersecurity risks.”?In other words, all advisors must outline a risk management strategy of some sort.?

This rule would also require advisors and funds to conduct an annual cybersecurity risk assessment in order to assess, categorize, prioritize and draft written documentation of the cybersecurity risks associated with their information IT systems.?

If you’re not sure where to start with this, we will help you out later in this article.

Proposed Rule #2: Reporting?

The proposal would also?require advisers to report significant cybersecurity incidents to the SEC.?This includes any incidents that disrupt the advisor’s ability to maintain critical operations.

Advisors will need to report any incidents to the SEC in a confidential ADV form.?This will allow the SEC to better monitor and evaluate the effects of any cybersecurity attacks, and address any potential systemic risks.

Proposed Rule #3: Disclosure

The third proposed rule change would require advisors to publicly disclose previous cybersecurity risks or incidents.?Any incidents in the past two fiscal years would need to be included alongside business practices, fees, risks, conflicts of interest and disciplinary information in Part 2A of a firm’s annual ADV reporting.?

This rule would also apply to funds and require that prospective and current investors be provided with cybersecurity-related disclosures in the fund’s registration statement.

Proposed Rule #4: Record keeping

The last proposed rule change would make a change to traditional record keeping.?Advisers would be required to maintain internal records related to the proposed cybersecurity risk management rules and the occurrence of cybersecurity incidents.?

For funds, proposed rule 38a-2 would require that they maintain copies of their cybersecurity policies, procedures and other related records.

Creating a Cybersecurity Plan

In part two of this article, we outline a five-step plan you can start on today that will make it easier to adapt when these changes — or other similar regulatory requirements — are enacted. Visit the Hubly blog to read more.