PLANADVISER - November/December 2022 - 24

practice management / cybersecurity
" Look at internal and external risks, " says Jason Vinsonhaler,
director of compliance for RIA in a Box in New York
City. " Have an inventory of devices, vendors and services the
firm uses so you have an idea of exactly what your specific
risks are, because each firm will look a little different. You
want to have that basis for creating an effective policy and
procedure related to cybersecurity. "
" User security and access controls " are required to restrict
system and data access to authorized users. These steps
include implementation of a written acceptable-use policy
that imposes constraints such as limited-duration access to
specified datasets. Least-privilege access is another procedure
that restricts the availability of data to
only what is required for the user's work.
The proposal calls for authentication
measures that require users to provide
two or more credentials for access, such
as multifactor authentication or geolocation
verification. These controls should
also apply to clients' access to system
information, the SEC says. " We think
MFA is crucial for email and any major
line of business application, " says Daniel
Aronowitz, managing principal in Euclid
Insurance, a fiduciary liability insurer
in Vienna, Virginia. " We think it's the
bedrock of cybersecurity. "
Advisers must adopt, document and
review their cybersecurity risk-reduction
" policies and procedures " at least annually.
These documents identify policies,
workflows, actions to be taken and the parties responsible
for each action for ongoing security maintenance and incident
responses. Per the SEC proposal, the adviser should
document the annual review, assessment and any control
tests performed; document any cybersecurity incidents that
occurred since the date of the last report; and discuss any
material changes to the policies and procedures also since
the last report.
John Eckenrode, a director in the cybersecurity solumust
document that they require service providers with
access to the firm's system to meet the same standards. The
SEC is clear that, while an adviser may outsource a function
and use a third-party system such as Schwab's, he may not
outsource responsibility and remains ultimately accountable
for cybersecurity, according to Rich Itri, chief innovation
officer with ECI in Boston.
According to ECI, the SEC's expectation that firms
" User security
and access
controls "
are required
to restrict
system and
data access
to authorized
users.
should deploy technology that will continuously monitor
their systems for threats and vulnerabilities is a significant
development. " Many firms lack an integrated platform
for monitoring, alerting about, responding to, and remediating
cyberattacks, " the ECI report
claims. " They might use piecemeal
solutions that address some of these
needs in some contexts. But many don't
currently address threats and vulnerabilities
in the comprehensive fashion
the SEC is now calling for. "
" Recordkeeping "
requirements will
expand with an amendment to the
Investment Advisers Act Rule 204-2, the
books and records rule. Advisers must
keep copies of their cybersecurity policies,
annual reviews, risk assessments,
incident-reporting Form ADV-C and any
documents regarding incidents for five
years.
Incident Reporting
The proposal's second main category
includes Rule 204-6, which requires SEC-registered advisers
to report " significant cybersecurity incidents " to the agency
on a revised Form ADV-C. The form's initial draft is included
at the end of the proposal, and it asks 16 questions about
cybersecurity incidents and an incident's status and impact.
Form ADV-C submissions would be confidential and filed
electronically through the Investment Adviser Registration
Depository, or IARD, platform.
There are two potential challenges with Form ADV-C
tions team's advanced solutions sector with consulting firm
Guidehouse in Washington, D.C., supports the policies and
procedures requirement. He says it forces organizations to
consider how they would respond to an incident and to establish
timelines so they can respond in the amount of time the
SEC deems appropriate. " The velocity of onset for cyberattacks
today is such that you can't say, 'We'll figure it out when
it happens, " says Eckenrode. " You must have a plan in place.
You've got to have your communication processes established
to the point where you almost have draft messages because
you kind of know the types of messages you must convey.
There's simply not time to figure it out after it happens. "
The proposal prescribes " information protection and
threat and vulnerability management " methods extensively.
Recommended data protection techniques include
mobile device management; data segmentation; encryption;
and systems testing, including penetration tests. Advisers
submission. The first is determining whether an incident
qualifies as significant and warrants filing. The proposal
offers guidance by defining a significant incident as one or
a group of incidents " that significantly disrupts or degrades
the adviser's ability, or the ability of a private fund client of
the adviser, to maintain critical operations, or leads to the
unauthorized access or use of adviser information, where
the unauthorized access or use of such information results
in: 1) substantial harm to the adviser, or 2) substantial
harm to a client, or an investor in a private fund, whose
information was accessed. "
It likely will take some time for the advisory industry and
the SEC to settle on what constitutes a significant incident,
says Itri. He suspects the agency kept the definition intentionally
broad because it wants the information and also
wants to prevent advisers from exercising too much judgment
and opting out of reports. Itri says that approach could
24 | planadviser.com November-December 2022
http://www.planadviser.com
PLANADVISER - November/December 2022

Table of Contents for the Digital Edition of PLANADVISER - November/December 2022
