PLANADVISER - November/December 2022 - 23

C
Foil potential breaches with strong
data security practices
T
he Securities and Exchange Commission has clearly
signaled that retirement plan advisers must adopt and
implement prescribed best practices for their cybersecurity
programs. Cybersecurity should be a top priority for
advisers, and the SEC wants better, more consistent practices
combined with additional reporting and disclosure.
On February 9, the SEC proposed new cybersecurity
risk management amendments and rules for SEC-registered
investment advisers and investment companies. The
proposal's comment period closed in April, and there is no
date for the final release, though sources estimate the rule
will be published in early 2023. The agency's " Cybersecurity
Risk Management Fact Sheet " states that the proposal will:
1) address concerns about advisers' and funds' cybersecurity
preparedness while reducing risks for clients and investors;
2) improve advisers' and funds' disclosures about their cybersecurity
risks and incidents; and 3) improve the SEC's ability
to assess systemic risks and oversee advisers and funds.
Prescriptive Proposal
Each of the proposal's three categories contains detailed
guidance on what the SEC expects for compliance, stressing
that adhering to the new rules is mandatory even if the cost
to do so is a challenge. Per the proposal: " In the extreme, we
expect that registrants with no current cybersecurity policies
and procedures would have to bear substantial costs. "
The proposal incorporates established best practices
with multiple references to existing guidance from the
National Institute of Standards and Technology and the
Cybersecurity and Infrastructure Security Agency. The
SEC allows advisory firms flexibility with implementation,
however, recognizing that " there is not a one-size-fits-all
approach to addressing cybersecurity risks. "
The agency has taken a stronger position with this
proposal than in its previous cybersecurity guidance. " While
in the past the SEC has focused more on recommendations
and best practices, now the agency is shifting its stance to
implementing a prescriptive rule set and creating accountability, "
according to technology consulting firm ECI's report
" New SEC Rules for Cybersecurity Risk Management: How
Investment Advisers and Funds Should Respond Today. "
Cybersecurity Risk Management
The proposal's cybersecurity risk management section lists
multiple requirements, with an overarching theme that
informal, ad hoc cybersecurity plans will no longer suffice.
The required actions start with " periodic risk assessments "
to identify and classify a firm's digital assets and the possible
risks to those assets. For example, where does a firm's data
reside? Which technology partners and outsourced service
providers have access to the adviser's information systems?
What is the potential impact of a cybersecurity incident?
The SEC notes that assessments should be updated at
least annually, or more frequently if a firm makes significant
changes to its operation, such as moving to a new cloud
service provider, for instance.
practice management / cybersecurity
YBER
READY
Art by Lars Leetaru planadviser.com November-December 2022 | 23

http://www.planadviser.com

PLANADVISER - November/December 2022

Table of Contents for the Digital Edition of PLANADVISER - November/December 2022

Built to Last
Cyber Ready
Measure Your Footprint
Determinants of Profitability
Keep a High Profile
Strategic Moves
The Value of a VCOC
Retroactive Compliance Reviews
Sheri Fitts
PLANADVISER - November/December 2022 - Cover1
PLANADVISER - November/December 2022 - Cover2
PLANADVISER - November/December 2022 - 1
PLANADVISER - November/December 2022 - 2
PLANADVISER - November/December 2022 - 3
PLANADVISER - November/December 2022 - 4
PLANADVISER - November/December 2022 - 5
PLANADVISER - November/December 2022 - 6
PLANADVISER - November/December 2022 - 7
PLANADVISER - November/December 2022 - 8
PLANADVISER - November/December 2022 - 9
PLANADVISER - November/December 2022 - 10
PLANADVISER - November/December 2022 - 11
PLANADVISER - November/December 2022 - 12
PLANADVISER - November/December 2022 - 13
PLANADVISER - November/December 2022 - 14
PLANADVISER - November/December 2022 - 15
PLANADVISER - November/December 2022 - Built to Last
PLANADVISER - November/December 2022 - 17
PLANADVISER - November/December 2022 - 18
PLANADVISER - November/December 2022 - 19
PLANADVISER - November/December 2022 - 20
PLANADVISER - November/December 2022 - 21
PLANADVISER - November/December 2022 - Cyber Ready
PLANADVISER - November/December 2022 - 23
PLANADVISER - November/December 2022 - 24
PLANADVISER - November/December 2022 - 25
PLANADVISER - November/December 2022 - Measure Your Footprint
PLANADVISER - November/December 2022 - 27
PLANADVISER - November/December 2022 - 28
PLANADVISER - November/December 2022 - 29
PLANADVISER - November/December 2022 - Determinants of Profitability
PLANADVISER - November/December 2022 - 31
PLANADVISER - November/December 2022 - 32
PLANADVISER - November/December 2022 - 33
PLANADVISER - November/December 2022 - Keep a High Profile
PLANADVISER - November/December 2022 - 35
PLANADVISER - November/December 2022 - Strategic Moves
PLANADVISER - November/December 2022 - 37
PLANADVISER - November/December 2022 - The Value of a VCOC
PLANADVISER - November/December 2022 - Retroactive Compliance Reviews
PLANADVISER - November/December 2022 - Sheri Fitts
PLANADVISER - November/December 2022 - Cover3
PLANADVISER - November/December 2022 - Cover4
https://www.planadviserdigital.com/planadviser/winter_2023
https://www.planadviserdigital.com/planadviser/fall_2023
https://www.planadviserdigital.com/planadviser/summer_2023
https://www.planadviserdigital.com/planadviser/industryleader_2023
https://www.planadviserdigital.com/planadviser/spring_2023
https://www.planadviserdigital.com/planadviser/november_december_2022
https://www.planadviserdigital.com/planadviser/september_october_2022
https://www.planadviserdigital.com/planadviser/july_august_2022
https://www.planadviserdigital.com/planadviser/may_june_2022
https://www.planadviserdigital.com/planadviser/industry_leader_awards_2022
https://www.planadviserdigital.com/planadviser/march_april_2022
https://www.planadviserdigital.com/planadviser/january_february_2022
https://www.planadviserdigital.com/planadviser/november_december_2021
https://www.planadviserdigital.com/planadviser/september_october_2021
https://www.planadviserdigital.com/planadviser/july_august_2021
https://www.planadviserdigital.com/planadviser/may_june_2021
https://www.planadviserdigital.com/planadviser/march_april_2021
https://www.planadviserdigital.com/planadviser/january_february_2021
https://www.planadviserdigital.com/planadviser/november_december_2020
https://www.planadviserdigital.com/planadviser/september_october_2020
https://www.planadviserdigital.com/planadviser/july_august_2020
https://www.planadviserdigital.com/planadviser/may_june_2020
https://www.planadviserdigital.com/planadviser/march_april_2020
https://www.planadviserdigital.com/planadviser/january_february_2020
https://www.planadviserdigital.com/planadviser/november_december_2019
https://www.planadviserdigital.com/planadviser/september_october_2019
https://www.planadviserdigital.com/planadviser/july_august_2019
https://www.planadviserdigital.com/planadviser/may_june_2019
https://www.planadviserdigital.com/planadviser/march_april_2019
https://www.planadviserdigital.com/planadviser/january_february_2019
https://www.planadviserdigital.com/planadviser/november_december_2018
https://www.planadviserdigital.com/planadviser/september_october_2018
https://www.planadviserdigital.com/planadviser/july_august_2018
https://www.planadviserdigital.com/planadviser/may_june_2018
https://www.planadviserdigital.com/planadviser/march_april_2018
https://www.planadviserdigital.com/planadviser/january_february_2018
https://www.planadviserdigital.com/planadviser/november_december_2017
https://www.planadviserdigital.com/planadviser/september_october_2017
https://www.planadviserdigital.com/planadviser/july_august_2017
https://www.nxtbookmedia.com