‘The quality of cybersecurity risk for registered investment advisers, whether they are in the DOL sector or not, is increasing.’
The Securities and Exchange Commission of the United States decided in February to propose two new cybersecurity rules: rule 206(4)-9 under the Advisers Act and rule 38a-2 under the Investment Company Act. On a high level, the present version of the proposed regulation for advisers will require:
• Policies and processes for managing cybersecurity risk, including yearly evaluations, written reports, and other record-keeping;
• The SEC will receive reports of severe cybersecurity events on a new Form ADV-C; and
• Amendments to Form ADV Part 2A to disclose cybersecurity risks and events.
The SEC’s 206(4)-9 recommendation follows the Department of Labor’s cybersecurity guidelines announced in April 2021 for registered investment advisers dealing with retirement plans. When taken as a whole, it’s evident that regulators are concerned about cybersecurity, which begs the issue of whether the two agencies’ efforts will coincide or divide. Plan advisers who work with both agencies would benefit from convergence; divergence might mean additional effort to comply with numerous regulations and proposals.
The methodologies of the two agencies are very different. The SEC is pursuing a proper rule-making process that includes a public comment period that will last through April 11, 2022 at the earliest. According to David Porteous, a partner at Faegre Drinker, the timetable for publishing a final rule and its contents is uncertain, and will be determined by the number of comments the proposal gets. “You may get four comments or 4,000,” Porteous pointed out. “Given the seriousness of this problem, I wouldn’t be shocked if you get a lot of comments that the SEC needs to at least consider.”
In three different publications directed at plan fiduciaries, service providers, and participants, the DOL provided guidelines, suggestions, and recommended best practices. With these publications, the agency did not follow a formal pre-publication rule-making procedure. The DOL’s past use of an informal procedure with the fiduciary rule, as articulated in PTE 2020-02, has been challenged in two cases, according to David Levine, partner and co-chair, plan sponsor practice at Groom Law Group. According to Levine, the result of these litigation might have an influence on the DOL’s cybersecurity guidelines.
According to Porteous, the DOL is placing the onus on plans to ask the appropriate cybersecurity questions in the first place. RIAs and funds, on the other hand, will be obliged to establish a “risk framework to deal with cybersecurity and make disclosures and undertake tests of its sufficiency,” according to Porteous. “So, whether you’re in the DOL area or not, I’d say that the temperature is increasing on the quality of cybersecurity risk for a registered investment adviser.”
While there isn’t necessarily a contradiction between the agencies’ recommendations and proposed regulations, Christopher DiTata, vice president and general counsel at RIA in a Box, said the SEC plan seems to go into deeper detail, especially with regard to disclosure. The SEC plan requires advisers to not only create internal rules and processes, but also to report any cybersecurity problems to the SEC. According to him, both the DOL and the SEC require financial institutions to notify investors of significant cybersecurity breaches