PLANADVISER - November/December 2022 - 25

generate a large volume of unnecessary reports that will lead
the SEC to tighten its reporting policy after the final rule has
been effective for a year or so.
Meeting the Form ADV-C filing deadline could be
another challenge. A report from the Kirkland & Ellis LLP
law firm notes that an incident report must be filed with
the SEC " promptly, but in no event more than 48 hours after
having a reasonable basis to conclude that an incident has
occurred or is occurring. " The emphasis is on filing promptly,
according to Kirkland & Ellis: " The proposed rules emphasize
that advisers should not wait until after definitively
concluding that an incident has occurred or is occurring. "
New Disclosures
The proposal's third main category amends an RIA's publicly
available Form ADV Part 2A to include a discussion of material
cybersecurity risks. The Form ADV Part 2A regulations,
also called the " brochure rule, " spell out the minimum
information that an adviser must provide new clients and
periodically update with existing clients.
Kirkland and Ellis report that the proposed rule would
amend Part 2A to include a new section. The additional
text would include a plain-English disclosure of risks that
could " materially affect the advisory services provided by
the adviser, and how the adviser assesses, prioritizes and
addresses cybersecurity risks created by the nature and
scope of their business. "
The SEC uses a forward-looking argument for the disclosure
requirements. Even if a cybersecurity risk has not led
to an incident, it can be considered material to an adviser's
advisory relationship with his clients " if there is a substantial
likelihood that a reasonable client would consider the
information important based on the total mix of facts and
information. " Also, the proposal's definition of materiality
makes frequent use of the " could " qualifier in its requirements,
with language such as could disrupt the adviser's
ability to provide services; could result in the loss of adviser
or client data; or could harm, or has harmed, clients.
Kirkland & Ellis points out that, besides the forwardlooking
analysis, advisers must disclose any incidents in
the past two fiscal years that " have significantly disrupted
or degraded the adviser's ability to maintain critical operations,
or that have led to the unauthorized access or use of
adviser information, resulting in substantial harm to the
adviser or its clients. "
The SEC will want to see specific items in the incident
disclosures: the entity or entities affected; dates of
discovery and the incident's status; whether any data was
stolen, altered, accessed or used for any other unauthorized
purpose; how the incident affected the adviser's operations;
and whether the adviser, or service provider, has remediated
or is currently remediating the incident.
Advisers must deliver Form ADV Part 2A amendments
promptly. The SEC does not specify a delivery time limit, but
the proposal's language emphasizes speed: " ... the timing of
the brochure amendment delivery should take into account
the exigent nature of cybersecurity incidents, which would
generally militate toward swift delivery to clients. "
Possible Business Implications
As the cost and complexity of dealing with cybersecurity
regulations increases, it raises a question of how small and
midsize RIAs will cope. Outsourcing is an obvious answer.
Merging or partnering with a larger RIA could be another
solution. Jon Meyer, chief technology officer with RIA firm
CAPTRUST in Raleigh, North Carolina, says the firm has
52 persons on its IT staff with seven working solely on security
and networking. Smaller firms cannot match this dedicated
expertise, which makes mergers and alliances with
larger RIAs such as CAPTRUST attractive. -Ed McCarthy
GET PROACTIVE
T
he Securities and Exchange Commission's
final rule is still unavailable, but
a prudent course would be to review
cybersecurity practices now with the
goal of identifying and correcting weaknesses,
says Jon Meyer of CAPTRUST.
Meyer suggests starting with the best
practices in the 12-point cybersecurity
program published by the Department
of
Labor
Employee Benefits
Security
Administration in April 2021.
" I think that's a fantastic starting point
for us and for really any firm to make sure
*Reprinted with permission
services,
you're operating a thorough and wellmanaged
cybersecurity risk program, "
Meyer says.
ECI, a global provider of managed
cybersecurity and business
transformation consulting for financial
service organizations, has developed a
detailed action plan for advisers awaiting
the SEC's rule. Here are seven recommended
actions
" New SEC Rules for Cybersecurity Risk
Management: How Investment Advisers
and Funds Should Respond Today " *:
1) Establish written cybersecurity plans,
policies and procedures;
2) Review, document and enforce
access management best practices;
3) Deploy data protection policies and
technologies;
4) Manage threats and vulnerabilities;
5) Implement cybersecurity incident
response planning and recovery;
from the ECI report
6) Report and disclose cybersecurity
incidents; and
7) Formalize cybersecurity responsibility
and accountability.
planadviser.com November-December 2022 | 25
http://www.planadviser.com
PLANADVISER - November/December 2022

Table of Contents for the Digital Edition of PLANADVISER - November/December 2022
