After warning for years about the increasing risk of cyber attacks, the SEC is sending an unambiguous message to financial advisors: Take cybersecurity seriously or face the consequences.
Proposed cybersecurity risk management rules released by the SEC for public comment recently would impose significant new requirements for advisors to detect, mitigate, and remediate cyber threats and vulnerabilities. The rules would require advisors to adopt and implement written policies and procedures to address cybersecurity risks; report significant cybersecurity incidents to the SEC; and maintain cybersecurity-related books and records.
Whether or not the proposed rules are fully adopted as written, they reflect the commission’s resolve to prioritize cybersecurity in its audits and enforcement investigations – and hold advisors accountable for failure to adhere to effective policies and procedures to safeguard client information. Advisors would be well advised to assess the design and effectiveness of their cybersecurity policies and procedures now, and make sure they are well-positioned to detect and mitigate potential risks.
In addition to assessing their own internal cybersecurity risks, advisors would be required to assess risks associated with the use of third-party service providers that have access to their systems. That means advisors may need to think about information security and how they engage with service providers in a whole new light.
Given the increasing pervasiveness and sophistication of cyber threats, independent advisors may want to consider if they are willing to devote the time and resources needed to maintain an effective cybersecurity program on their own. Indeed, the burden of managing increasingly complex technology, risk, and compliance requirements is a key reason many advisors who are looking to maintain their independence choose to work with a trusted partner for dedicated technology, risk, and compliance support. They’d much rather focus on helping clients achieve their financial goals than trying to keep track of the ever-changing technology and compliance landscape.