The SEC is about to upend your firm when it comes to cybersecurity.
Last year, the agency proposed a series of new rules, heading toward approval likely later this year. Although not yet final, they are going to shake up the ways RIAs run their businesses.
The agency has been talking about cybersecurity for some time. A decade ago, it promulgated an identity theft rule, Regulation S-ID, an expansion of rules issued more than 20 years ago obligating wealth managers to come up with procedures to protect customer records and information against threats. Last year, the SEC took enforcement actions against three large organizations, JPMorgan, UBS and TradeStation, for violating these rules.
The new rules would go much further. The SEC is worried about the “efficacy” of “industry-wide practices,” the inadequacy of “disclosures to advisory clients” about cyber risks, and potential “insider” threats. The commission also says meeting fiduciary duties requires taking steps to “minimize cybersecurity risks” and that, while cybersecurity spending may seem “considerable,” “it may nonetheless be inadequate.” More simply, protecting client data and assets is synonymous with acting in the best interest of clients.
The proposed rules would require RIAs to:
• Adopt written policies and procedures that are “reasonably designed to address cybersecurity risks”;
• Conduct an annual written assessment of cybersecurity risks;
• Self-report any cybersecurity incidents or breaches within 48 hours;
• Promptly disclose cybersecurity incidents to clients; and
• Disclose the cybersecurity risks they face, and how they “assess, prioritize, and address” them.
Notably, the SEC also asked for comments about whether industry participants should be required to have a chief information security officer and how “best industry practices” should be defined.
The new rules will likely change the way the SEC interacts with its registrants. It currently does so through somewhat regular examinations, but there are large gaps between these. The new rules would require RIAs to immediately self-report any material cybersecurity breach, regardless of whether any client information or assets were stolen.
The firm involved should expect a call or visit from regulators shortly thereafter for a targeted review of its cybersecurity policies and procedures. The examination’s starting point is that the firm was breached—and thus its cybersecurity proved inadequate, placing it at risk of an enforcement action.
The rules will also change advisors’ disclosures to clients about cyber risks. Today, such disclosures are largely non-existent. Few industry participants ever explain to clients that the custodians and brokerages they use and recommend often require the client to bear a preponderance of risk from any cyber theft loss. Nor do RIAs disclose the cyber counterparty risks involved in using their services and that, should the firm be breached, client assets and information could be stolen.
Under the new rules, RIAs will be obligated to disclose this—and much more. Firms are going to have to explain, in writing, what they are doing to protect client information and assets against cyber theft and, despite these precautions, the many risks that remain. If a firm is breached, it will have to make additional, embarrassing disclosures to all its current and future clients. For a profession that relies on client trust, this would be a devastating blow.
No one is clear on how the new rules will be enforced. In the event of a breach, the SEC will likely carefully review a firm’s earlier annual self-assessment of cybersecurity risks and the steps taken by management to address them. Additionally, although the proposed rules do not dictate specifically what a firm should do for protection—in no small part because such prescriptions would quickly become obsolete— the regulators also will likely closely examine whether the firm has followed the industry’s “best practices” on cybersecurity.
What that means precisely remains unclear. It clearly involves spending a lot more money on cybersecurity. The largest and most equipped firms will likely set the bar for the SEC’s expectations. Smaller entities will need to rely on scalable solutions and be better at informing clients. Moreover, like technology, these standards are never static and will evolve as more firms are breached and as threats change, forcing wealth managers to spend even more.
The SEC has not yet taken a position that industry participants must absolutely appoint a chief information security officer, also called a CISO, to manage cybersecurity risks, but this requirement would be consistent with its past practices. The agency has previously mandated that firms appoint a chief compliance officer, someone who could balance an organization’s conflicting desires to both maximize profits and meet regulatory obligations. There is a similar conflict now—a firm’s desire for ease of access to information contrasting with its need for robust digital protection.
Meanwhile, cybercriminals are innovating at a ferocious rate. With the use of AI-software, they can even clone voices. They are aggressively and openly copying passcodes for devices in public places and stealing them. And not a day goes by that we don’t discover new malware they’ve created.
As they develop new tactics and methods, many in the financial services industry remain asleep at the wheel, doing little to reduce risks. Even those who have stepped up their cyber defenses will likely find out that they remain unchallenging to determined cybercriminals. Soon this reality will come up against the expectations and power of regulators.
Mark Hurley is CEO of Digital Privacy & Protection (dpripro.com). Brian Hamburger is President & CEO of MarketCounsel Consulting (marketcounsel.com) and Chief Counsel of the Hamburger Law Firm (hamburgerlaw.com).