Skip to Content

New SEC Regulations Require Incident Reporting and Cybersecurity

on Monday, 28 February 2022 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

On February 9, 2022, the SEC issued proposed rules for investment managers and mutual fund managers that would require these firms to adopt basic cybersecurity policies.[1]  The cybersecurity regulatory language requires to account for:

(1) Risk assessment;
(2) User security and access;
(3) Information protection;
(4) Cybersecurity threat and vulnerability management; and
(5) Cybersecurity incident response and recovery.

The adoption of the rules would bring the SEC requirements in-line with other recent cybersecurity laws and regulations.  For example, the New York Department of Financial Services already requires technical controls, such as multifactor authentication.

 

Risk Assessment

The risk assessment required by the proposed SEC rule is a “periodic assessment of cybersecurity risks”.  The assessment requires the categorization and prioritization of all cybersecurity risks based on an inventory of the information systems and the potential impact of the risk[2].  A complete inventory of information systems is always the necessary first step in order to identify and categorize all of the potential risks associated with each operating system, application, computer, or IOT device.

The risk assessment also requires a review of any third-party “service providers that receive, maintain, or process adviser information.”[3]  This requirement similarly imposes a vendor or supplier risk assessment for any systems that process sensitive information on behalf of the adviser or manager.

Finally, risk assessments under the rule must be maintained in written documentation.[4]

 

User Access

User access required by the proposed rule, among other things, includes multifactor authentication (“MFA”) for users to access adviser information systems.[5]  MFA has been shown to prevent the vast majority of unsophisticated hackers,[6] and as such would bring advisers and managers in-line with industry standards.

 

Information Protection

Information protection requires the monitoring and protection of adviser systems from unauthorized use and access.[7]  The protections on the system would be required to take into account the sensitivity of the information on the system, whether there is any personal information on the system, how the information accessed, stored and transmitted, the system access controls, and the potential impact of a cybersecurity event.

The proposed rule specifically requires the oversight of service providers which receive, maintain, or process information on the system. This element of the rule requires third-party access to be monitored and to be documented with a written contract, and requires the service provider to “implement and maintain appropriate measures… designed to protect adviser information and adviser information systems.”[8]

 

Cybersecurity Threat Management and Incident Response

The proposed rule also requires detection, mitigation, and remediation of any cybersecurity threats and vulnerabilities[9] based on the risk assessment.

The rule also requires the organization to maintain a plan to detect, respond, and recover from a cybersecurity incident[10] also known as an incident response plan (“IRP”).   The IRP must provide for the continued operation of the adviser, protection of information, external and internal incident sharing, and the reporting of significant cybersecurity incidents to the SEC.[11]

The incident reporting requirement will likely be the most debated requirement of the rule.  The requirement includes completing and submitting a form with the SEC no later than 48 hours after “having a reasonable basis to conclude that a significant adviser cybersecurity incident or a significant fund cybersecurity incident had occurred or is occurring.”[12]  This notification timeline is very short when compared to state breach notification timelines which are often 30 or 60 days or “as soon as reasonably possible”.  The Commission justifies the requirement by explaining:

[T]his reporting would not only help the Commission monitor and evaluate the effects of the cybersecurity incident on an adviser and its clients or a fund and its investors, but also assess the potential systemic risks affecting financial markets more broadly.[13]

The interpretation and applicability of the requirement will depend of the definition of the term “significant cybersecurity incident” which is defined in the rule as:

a cybersecurity incident, or a group of related incidents, that significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in: (1) substantial harm to the adviser, or (2) substantial harm to a client, or an investor in a private fund, whose information was accessed.[14]

Finally, the rule requires that all cybersecurity incident responses are documented, including the response and recovery steps taken in connection with the incident.[15]

 

Definitions

An important definition in the proposed rule is the term of “Personal Information”.  Personal Information is defined more broadly than most state breach notification statutes many of which specifically exclude publically available information.  The SEC rule defines personal information as follows:

(1) Any information that can be used, alone or in conjunction with any other information, to identify an individual, such as name, date of birth, place of birth, telephone number, street address, mother’s maiden name, Social Security number, driver’s license number, electronic mail address, account number, account password, biometric records or other nonpublic authentication information; or

(2) Any other non-public information regarding a client’s account.[16]

This definition, most notably, includes dates of birth, place of birth, telephone numbers, street addresses, mother’s maiden name, and other nonpublic authentication information.  The inclusion of such information is much broader than most state breach notification laws, which do not include information such as a DOB or address that can be commonly found in mailing lists.

 

Conclusion

The SEC has published and is seeking comment on its proposed cybersecurity requirements and notification rule.  The new rules will impose a set of requirements that will bring the SEC standards in-line with modern cybersecurity requirements.  The requirements are not significantly more stringent that industry standard and most modern advisers or managers using modern equipment will most likely already deploy such measures to protect client data.

The 48 hour notification requirement will require a change in process for breach response and provide a new paradigm for industry and cybersecurity threat-sharing intelligence.

[1] https://www.sec.gov/rules/proposed/2022/33-11028.pdf

[2] ID at 232

[3] ID at 233

[4] IBID

[5] IBID

[6] An article by Microsoft found that MFA could prevent 99.9% of attacks on an account (https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/).

[7] IBID

[8] ID at 234

[9] IBID

[10] ID at 235

[11] IBID

[12] ID at 46

[13] ID at 47

[14] IBID

[15] ID at 235

[16] ID at 236

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500