SEC Proposal Could Bolster US Financial Infrastructure
Proposed on February 9th, SEC 38a-2 would help bolster the cybersecurity posture of investment institutions in the US by holding undersecured, non-compliant parties responsible for fallout and reporting of breach events. Now reinforced by cyber attacks related to tensions abroad, this proposal would strengthen the US’s financial infrastructure by incentivizing to stop ignoring the importance of protecting sensitive data from cyberattacks.
What Is SEC 38a-2?
The SEC’s proposal would promote improved cybersecurity resiliency for investment companies and advisers and hold them responsible for the federal reporting of successful attacks and maintaining a strong cybersecurity posture. The proposal looks to establish 3 key areas of compliance: policies and procedures, reporting, and disclosure practices.
Policies and Procedures
Periodic risk assessments would be required for compliance. Documentation outlining findings and prioritization of mitigation tactics would also need to be maintained by for potential future audits
Maintenance and Monitoring of User Security and Access
Regulated investor and advisors would be responsible for minimizing user-based risk by ensuring that unauthorized access to information systems is blocked. This includes authentication techniques like MFA and 2FA as well as periodic password resets.
Organizations would be required to periodically assess user access to the information contained on their systems to ensure that sensitive data is being adequately protected. Logged information such as where and how information is stored, accessed, or transmitted are included in this required review.
Threat and Vulnerability Management
A plan for threat detection, mitigation, and remediation, as well as vulnerability monitoring, would need to be outlined and executed.
Incident Response and Recovery
Investment companies would be required to have procedures in place to detect, respond to, and recover from attacks. SEC reporting procedures would also be required as part of this plan.
Under the new proposal, investment companies must report “significant adviser cybersecurity incidents” to the SEC on new Form ADV-C within 48 hours of detection. This Form would gather information regarding the scope and nature of each incident, including information such as what information was compromised, how the firm plans to recover from the incident, were clients or law enforcement were notified, and if the incident is covered under a cybersecurity insurance policy. These reports would not be publicly available after filing.
Documentation would be required to be available to investors and clients outlining the ’s cyber readiness plans, along with any incidents that had occurred within the previous 2 years. This information is believed to enable investors to make more informed decisions when choosing to remain with or begin engaging with an adviser.
Improving Infrastructure Resiliency
The SEC’s new proposed rules are grounded in section 206 of the Advisers Act. Learning from past malware attacks, the intent of this new proposal would be to bolster investor confidence and protect them from advisers and investment companies not doing their part to protect and recover sensitive information. With the intention to hold all regulated entities accountable for cybersecurity compliance, under Rule 38a-2, these entities could no longer put security measures on the back burner, and jeopardize the stability of our financial infrastructure.
Internal IT is Not the Only Option
The measures proposed above do not need to be fully planned or executed internally to the investor or adviser required to maintain compliance. Thrive’s experienced cybersecurity and compliance teams are experienced in providing NextGen technology services to the financial services industry. From private equity to investment banking institutions and everything in between, Thrive is here to help our clients achieve and maintain superior protection from the known – and the unknown.