SEC cyber rule proposal poses challenges for small advisers

When it comes to cybersecurity, the financial advice sector may be a step ahead of the SEC, but a rule proposal raises the compliance stakes and could pose challenges for small advisers.

On Wednesday, the Security and Exchange Commission voted to release a proposal that would require registered investment advisers and investment companies to develop written policies and procedures to address cybersecurity risks that could harm clients or fund investors.

The proposal would require advisers to report cyberattacks to the SEC, disclose them on their Form ADV and maintain books and records related to cybersecurity.

The proposal comes after years of cybersecurity guidance from the SEC, which also has brought an enforcement case based on existing customer protection rules. The agency’s push on the topic has spurred many advisers to develop cyber policies.

But now firms, even if they have a cybersecurity response program, it will have to meet the specifics of a stand-alone SEC rule on the issue.

“It codifies what many advisers are already doing as part of their business continuity planning,” said Ken Joseph, managing director and head of U.S. financial services compliance and regulation at Kroll, a consulting firm. “If adopted, it increases the possibility of advisers being liable for breaking what would now be a new [cybersecurity] rule.”

As is the case with many regulations, it will be easier for large firms to comply. Firms will have to beef up their ability to detect, react to and report attacks, which is easier to do if they have an IT department.

“The rule will strike many advisers and funds as adding to what they’re already doing,” said Michael Birnbaum, a partner at Morrison & Foerster and a former SEC senior trial counsel. “I’m hopeful this will not add additional unnecessary burdens. If this is implemented in a heavy-handed way, it may present significant challenges, particularly for small advisers.”

One area where small firms may have trouble is in determining whether a cyber attack merits reporting to the SEC and then telling the agency within 48 hours. The proposal says any incident that poses substantial harm to clients or disruption to the business must be reported.

“It will be difficult to meet that quick turnaround time, especially for small to midsize firms that don’t have an in-house IT department,” said Craig Moreshead, managing director at Foreside, a compliance consulting firm. “The commission will have to add more specifics to help firms figure out if something is significant or not.”

A cybersecurity rule would almost certainly require advisory firms to spend more on compliance.

Firms are going to have to have “more cyber experts on hand, either outsourced or in-house,” Moreshead said. “I can’t see smaller firms going it alone and being able to comply.”

But when firms do comply and report incidents to the SEC, it could create another problem, Joseph said.

Publicly disclosing cybersecurity risks and incidents “could itself provide a treasure trove of valuable information for bad actors who are on the prowl for information that could inform the tactics and strategies they use to inform cyber-attacks,” said Joseph, a former SEC examination official. “You have to strike the right balance in assisting firms in boosting their defenses and providing appropriate disclosures to investors while not creating any vulnerabilities for [hacker] to exploit.”

The SEC has put the proposal out for public comment for 60 days.