Introduction
The Securities and Exchange Commission (SEC) recently proposed a new cybersecurity rule that would require registered investment advisers and broker-dealers to establish and implement written policies and procedures to protect against cyber attacks. The proposed rule is aimed at protecting investors’ sensitive data and the integrity of the securities markets.
As a financial professional, it’s crucial to understand the proposed SEC cybersecurity rule and how it could potentially impact your business. In this blog post, we will discuss the key provisions of the proposed rule and what you need to know to ensure compliance.
Background on the Proposed SEC Cybersecurity Rule
The proposed SEC cybersecurity rule builds on previous guidance issued by the regulatory body regarding cybersecurity policies and procedures. The proposed rule would require covered entities to implement measures to prevent, detect, and respond to cyber attacks.
One of the critical provisions of the proposed rule is that covered entities must establish and implement written policies and procedures reasonably designed to protect customer records and information from unauthorized access, use, alteration, or destruction. The rule would also require covered entities to conduct regular risk assessments and maintain comprehensive incident response plans to address potential cyber threats.
Key Provisions of the Proposed Rule
The proposed SEC cybersecurity rule would require registered investment advisers and broker-dealers to take the following steps to protect against cyber attacks:
- Establish and implement written policies and procedures reasonably designed to safeguard customer records and information from unauthorized access or use;
- Conduct periodic cybersecurity risk assessments to evaluate the effectiveness of the policies and procedures;
- Maintain written plans to respond to cybersecurity incidents, including procedures for assessing the scope of an incident and notifying relevant parties;
- Select and utilize hardware and software appropriate to maintain the integrity of customer records and information; and
- Ensure that individuals with access to confidential information receive appropriate cybersecurity training.
What You Need to Know to Ensure Compliance
To ensure compliance with the proposed SEC cybersecurity rule, registered investment advisers and broker-dealers must take a risk-based approach to cybersecurity that includes the following:
- Identifying and assessing the potential risks and vulnerabilities to the confidentiality, integrity, and availability of customer records and information;
- Designing and implementing a comprehensive information security program to mitigate identified risks;
- Conducting ongoing assessments to evaluate the effectiveness of the information security program and adjust it as necessary;
- Ensuring that service providers have appropriate cybersecurity controls in place; and
- Establishing procedures for responding to cyber incidents effectively.
Conclusion
The proposed SEC cybersecurity rule is aimed at protecting investors’ sensitive data and the integrity of the securities markets. Registered investment advisers and broker-dealers must take steps to comply with the rule, including establishing and implementing written policies and procedures to protect against cyber attacks and conducting regular risk assessments. By adhering to the proposed rule’s provisions and implementing a robust cybersecurity program, covered entities can mitigate the risks of cyber threats and safeguard their customers’ data.