Here’s What You Need to Know: SEC’s Impending Cybersecurity Rules for Registered Investment Advisers and Funds

On February 9, 2022 the SEC proposed new cybersecurity rules for Investment Advisers and Funds, and just last week an article in Ignites suggested that the SEC is on the cusp of finalizing the rule – perhaps sooner than anticipated. According to Ignites, legal experts and compliance consultants predict that the recent approval of a cybersecurity rule for publicly traded companies could accelerate the timeline for the investment advisor rule, potentially resulting in its adoption before the expected fall timeframe.

Following are key highlights from the article:

1. Accelerated Timeline: The SEC’s recent green light for public companies to disclose cybersecurity concerns within four business days could pave the way for the investment advisor rule’s swift approval. The SEC’s proactive approach in approving the former suggests that the investment advisor rule could follow suit sooner than originally anticipated.
2. Proposed Mandates: The proposed rule entails the implementation of written cybersecurity policies and procedures by advisors and funds to manage potential risks. It also necessitates the prompt reporting of significant cybersecurity incidents within 48 hours via Form ADV. Advisors are further required to maintain comprehensive records pertaining to cybersecurity.
3. Parallel with Public Company Rule: The investment advisor rule mirrors the recently approved cybersecurity rule for publicly traded companies in certain aspects. Both rules demand the reporting of major cyber incidents within specific timeframes. However, the investment advisor rule goes a step further, mandating detailed cybersecurity measures like risk assessments and multi-factor authentication.
4. 48-Hour Reporting Challenge: The most notable challenge lies in the immediate 48-hour reporting window for significant incidents. Firms are advised to establish efficient protocols for assessing, reporting, and addressing cybersecurity incidents promptly.
5. Preparation Measures: Firms should lay the groundwork by instituting internal reporting frameworks, designating individuals responsible for SEC notifications, and constituting dedicated cyber response teams.

The upcoming cybersecurity rule signifies the SEC’s commitment to fortifying cybersecurity measures within the investment advisory sector, and we think their proactive stance aligns with the increasing importance of cybersecurity readiness in today’s digital landscape. We support the intent of this proposal and agree that the custodians of wealth – and those who service them – have a responsibility to ensure that wealth is both sustainable and future-ready.

Operational risk must be viewed from a systemic and preventative point of view, and if organizations are going to outpace cybercriminals, they must consider legacy technology’s limitations when it comes to upgrading, patching and maintenance. Systems that are decades old and pre-date the cloud revolution are unlikely to protect investors and maintain orderly markets because they cannot be updated easily or cost-effectively to adequately meet today’s requirements.  Embracing cloud capabilities is crucial to manage risks effectively and unlock evolving benefits. And yet, there are still some legacy thinkers that believe on-premises technology offers more control and safety.

So, let’s debunk that myth…

Decoding the Security Implications of a Cloud Transition

Cloud Transition Defined: The cloud shift involves porting software to new cloud data centers or building cloud-native applications on platforms like Azure or AWS. These cloud environments boast inherent advantages including redundancy, data replication, and fortified access controls, fostering enhanced asset protection.

Security as a Tandem Effort: The security underpinning a cloud-native approach comprises two fundamental aspects: safeguarding the underlying cloud infrastructure and ensuring the security of the application itself. Public providers such as Microsoft, Amazon, and Google diligently invest in cybersecurity R&D, employing experts and cutting-edge methods to uphold robust cloud security.

Infrastructure and Application Security: Cloud providers’ dedication to securing their services is a Herculean task to replicate in-house. For application security, cloud-native SaaS applications have demonstrated enhanced security. Their design, development, and automated patching mechanisms equip them to stay ahead of threats, compared to legacy technology on the cloud.

Vendor Evaluation: Opting for a cloud-native approach aligns security interests with the capabilities of cloud providers. While complexity might increase, the cloud bestows a dual defense mechanism—infrastructure and application levels. A multi-cloud strategy further enhances security by isolating instances on distinct public clouds.

Balanced Migration Approach: Organizations can initiate their cloud journey by complementing existing systems with cloud-based services, reaping immediate benefits like redundancy and scalability. However, overlaying cloud services on legacy technology may perpetuate vulnerabilities. A proactive cloud migration strategy empowers businesses to seize competitive advantages promptly.

Evolving with the Cloud: Transitioning to the cloud requires discernment, understanding that security lies in collaboration between organizations and cloud providers. The cloud empowers organizations with advanced safeguards and offers a proactive stance against cyber threats in an ever-evolving landscape.

So, What Now? Evaluating Cloud Security.

As fund managers and their service providers continue to adapt to their growing risk oversight responsibilities, they should be rigorously assessing their providers’ cybersecurity capabilities as well as their own capabilities. Key questions include:

• Does security align with providers’ mission?
• Is the service cloud-native or retrofitted onto legacy technology?
• How is redundancy and availability achieved?
• Are both data and transport layers encrypted?
• Who oversees security, and what’s their expertise?
• Can they provide documentation on best practices?
• How frequently is code updated?

A Word About FundGuard

FundGuard is a cross-enterprise, all-in-one investment accounting solution for IBOR, ABOR and NAV contingency.  FundGuard’s fully digital, AI-powered, cloud-native operating model supports global asset managers, asset owners, custodian banks and fund administrators in the management of their investment and accounting books and aligns well with firms looking to replace out-of-date systems processing in monolithic cycles.

Unburdened by the challenges of decades old legacy systems, FundGuard is transforming investment operations and existentially changing asset servicing, with a mission to help the world more safely and efficiently accumulate and grow assets. 

Contact us when you’re ready to join the transformation.

Related Reading

• Fund Investment Management, Cybersecurity and the Cloud – What You Need to Know and the Questions You Should be Asking
• The Enhancement and Standardization of Climate Related Disclosures for Investors
• SEC Proposes Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds
• Ignites: Cyber Rules for Investment Advisors “Imminent” (subscription required)