PLANADVISER - Fall 2023 - 37

cyber-related incidents, the SEC, on March 9, 2022, issued
a proposed rule called Cybersecurity Risk Management for
Investment Advisers, Registered Investment Companies and
Business Development Companies.
The proposed rule, if adopted in full, would establish a
specific regulatory requirement to implement cybersecurity
policies and procedures, " reasonably designed to address
the adviser's cybersecurity risks. " It would be unlawful for
an adviser to engage in an advisory business without doing
so. Such policies and procedures would need to address: 1)
cybersecurity risk assessment; 2) user security and access; 3)
information protection; 4) cybersecurity threat and vulnerability
management; and 5) cybersecurity incident response
and recovery. Further, firms would need to review such policies
and procedures annually to assess their effectiveness.
The proposed rule would also create cybersecurity incident
disclosure obligations. Advisers would need to report
specific information regarding incidents in part 2 of the firm's
ADV and report any significant incidents to the SEC.
The Takeaway
Though the rule is not final, both the preamble and the regulatory
text provide insights into how the agency might view a
firm's cybersecurity efforts. Advisers should assume that the
proposed rule will be adopted in some form. Therefore, firms
should review their current cybersecurity practices against
the proposed rule to be ready for compliance with a final rule.
Notably, the compliance burden may be substantial-particularly
for small to midsize firms, which often lack the technological
resources of other firms. -David Kaleda
The DOL's Cybersecurity Investigations
THE SECURITIES and Exchange Commission
is not the only regulator
concerned with cybersecurity practices.
The Department
of
Labor
has
increasingly been reviewing cybersecurity
policies and procedures,
including those of third-party service
providers, when investigating plans
covered by the Employee Retirement
Income Security Act. Therefore, investment
adviser firms should expect that
plan sponsors will ask them for information
about their cybersecurity policies
in order to address requests or
questions from a DOL investigator.
Further, an adviser may directly
receive a request from an investigator
to produce cybersecurity-related documents
or may be interviewed by the
investigator
regarding
cybersecurity
procedures, though this is less common.
In its investigations, the DOL
asks for substantial documentation
regarding the adviser's cybersecurity
procedures and asks questions related
to those procedures, as well as to
the firm's cybersecurity policies and
cybersecurity liability insurance.
DOL Guidance
The document request and questions
are largely based on two pieces
of guidance the DOL issued in April
2021. The first of them, " Cybersecurity
Program Best Practices, " was written
to help advisers and other plan service
providers ensure proper mitigation of
cybersecurity risks-in their clients'
plans and in their own practice. The
document will be the basis of the cybersecurity
questions that investment
advisers and other fiduciary providers
can expect to receive from a sponsor
client and can help them determine
how they might be evaluated by plan
fiduciaries or the DOL.
" Best Practices " provides 12 practices
that, the DOL says, " recordkeepers
and other service providers
responsible for plan-related IT systems
and data " should follow. Additionally,
the DOL states that these practices
can be utilized by plan fiduciaries in
making prudent decisions on the selection
and retention of service providers.
The guidance, further, outlines
what the DOL says a good cybersecurity
program should consist of, including
components such as an annual risk
assessment of the program's effectiveness,
strong access controls, reliable
third-party audits of security controls,
cybersecurity awareness training and
a business resiliency program.
Notably, plan sponsor clients may
ask to see documentation confirming
that reliable third parties have
reviewed the provider's procedures-
e.g., a SOC 2 report.
The second piece of guidance,
" Tips for Hiring a Service Provider
with Strong Cybersecurity Practices, "
focuses on questions plan fiduciaries
should ask regarding cybersecurity
practices when considering hiring a
service provider. Among other things,
the DOL suggests the plan fiduciary
inquire as to whether the service
provider has cybersecurity liability
insurance.
In the days to come, cybersecurity
likely will become an issue on which
the DOL will focus in all of its plan
investigations. For advisers, this will
especially be the case if they hold or
have access to personally identifiable
information of plan participants or
plan assets.
A failure to honor client requests
could result in a direct document
or interview request, including a
subpoena, from the DOL investigator.
Additionally, the DOL has the power to
investigate any fiduciary or nonfiduciary
service provider to the plan and
may do so if it learns that the provider
is the victim of a cybersecurity incident
that may have affected an ERISAcovered
plan. -DK
David Kaleda is
a principal in the
fiduciary responsibility
practice group
at Groom Law
Group, Chartered,
in Washington.
Practice Management | Fall 2023 | planadviser.com 37
http://www.planadviser.com
PLANADVISER - Fall 2023

Table of Contents for the Digital Edition of PLANADVISER - Fall 2023
