EP 103: SEC’s Proposed Rules for Cyber Risk Management
Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.
Sign Up Now!
About this episode
April 12, 2022
What’s in the Security Exchange Commission’s proposal for new cybersecurity risk management rules for investment advisers and investment companies? Let’s find out with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.
You can find the SEC’s Fact Sheet and proposed Rules here — https://www.sec.gov/news/press-release/2022-20
Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities. And Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.
Kip Boyle: Hi Jake, what are we going to talk about today?
Jake Bernstein : Hey Kip. Today, we're going to continue our exploration of administrative agencies, updating rules related to cybersecurity. Today we have the SEC's proposed rules that they are calling "cybersecurity risk management for investment advisors, registered investment companies and business development companies."
Kip Boyle: Okay. The SEC, that's the Securities and Exchange Commission here in the United States. Now when I think of the SEC, I think of publicly traded companies, but I guess what you're saying to me is that's not the only type of firm they regulate, right?
Jake Bernstein : That's correct, it's not. The SEC also regulates registered investment advisors and investment companies, which we're going to call funds, under the Investment Advisors Act of 1940, and the Investment Company Act of 1940. So these are 80 year old laws and... Wait, I did that wrong. 60. They are... No wait, I am right. It is 80 year olds. Oh wow. Okay. 80 year old laws here. So these new rules in short require advisors and funds to "adopt and implement written cybersecurity policies and procedures, reasonably designed to address cybersecurity risks." Sounds pretty familiar, doesn't it?
Kip Boyle: Yeah. It's super familiar. And I've just, boy, couple things come to mind. The first thing is as old as these laws seem to be, at least they're not as old as the laws that Abraham Lincoln signed that we're still updating. So that's good.
Jake Bernstein : Ah, yes, that refers to the false claims act that we talked about several episodes ago.
Kip Boyle: Yeah. A few episodes ago. I think maybe there's only one other time that we ever delved into like really, really deep history for something. But I kind of remember, we did one time when legal precedent, common law and...
Jake Bernstein : Oh, yeah.
Kip Boyle: Right. So here we are looking again at laws that are being updated to be more applicable to the modern world. Starting to sound like a bit of a broken record, right?
Jake Bernstein : Yeah. We kind of are. And we also very recently discussed the FTCs revisions to the Safeguards Rule under the Gramm-Leach-Bliley Act, actually just an episode, 101, which was only two episodes ago. Now here's the difference, is that the FTC had been working on the updates to that rule revision for years.; however, in this case, we're looking at the result of the Biden administration cybersecurity executive order, which we actually discussed in episode 93, which was the 10 episodes ago.
Kip Boyle: Yeah. So it looks it's not us being a broken record. And for those of you who don't know what, what that means, a broken record, I'm talking about vinyl. I'm not talking about breaking a world record in how repetitive a podcast can get.
Jake Bernstein : Or you might want to also, I think these days a broken record might be like, "What's wrong with the database table."
Kip Boyle: That's right. Oh boy. Okay. So it looks like that's the big theme of the US government right now, is trying to modernize, well, better late than never, I suppose.
Jake Bernstein : And just to be clear for those lawyers listening, these are proposed rules under those, the investment, the two 1940 acts. No one's actually updating the acts themselves.
Kip Boyle: Okay. All right. Yes. Thank you for being specific. I'm being way too general when I say that.
Jake Bernstein : Way too general.
Kip Boyle: Way too general. So you mentioned the Biden administration's executive order on cybersecurity. And so listeners go back to episode 93, if you want to unpack that, if you happen to have missed it, but that one said that federal agencies needed to evaluate the need for new rule making. And so here's another example of that, but it's not done. This SEC rule is just at the beginning of its updating process. Is that right, Jake?
Jake Bernstein : Yeah. In fact, it's so at the beginning of the process that there isn't even rule text yet. This is a proposal that really it's descriptive. And there's a lot of detail which we'll talk about, but this is the very, very beginning. So there's going to be several different periods for public comment, discussion, things like that. These types of rule making procedures are not fast.
Kip Boyle: Okay. But there's something available. So we can take a look at what they've published and maybe guess a little bit at what the rules might say.
Jake Bernstein : Yeah. And we don't need to overstate how much we need to guess. I mean, the SEC has published a 243-page document describing these proposed rules and the justifications for all of the changes and all of the paperwork reduction act stuff that goes into that. It's a 243-page document. And so obviously we're not going to hit on every single point in that document.
Kip Boyle: I love the way you undersold that. Oh, they haven't released much yet.
Jake Bernstein : Well, so they haven't released the text of the actual rules because they crosstalk-
Kip Boyle: I can't wait till they do. 243 pages. What does it look? How big does it get when it's actually texted out?
Jake Bernstein : ... Well, probably actually a lot shorter in this case. The rules themselves are going to be a fraction of that. But anyway, this is very much a proposal, like I said, multiple opportunities for comments, et cetera.
Kip Boyle: Well, that's good. So if people are going to be directly affected by this that's encouraging, you still have an opportunity to tell the regulators what you think. Do they have a history of listening to feedback like this Jake?
Jake Bernstein : Oh, very much so. In fact, they have to. There's the way that the administrative rule making process works, and we don't need to go into detail about the administrative procedures act, but basically-
Kip Boyle: I think we have in the previous episode.
Jake Bernstein : ... Yeah. I think we have to some degree, but there has to be support for changes in the administrative record. And this is, I think I mentioned arbitrary and capricious. Like you can't be arbitrary and capricious as an administrative agency. So you can't just make things up and do what you want, you have to actually have a record upon which to base your administrative action.
Kip Boyle: Okay. And because these are updated rules, that implies directly that there's existing rules. And so one of the reasons that you convinced me to do another episode on federal agency rule making is so that we could maybe look at the existing rules a little bit.
Jake Bernstein : Yeah. And know, there is a key difference between this proposal and the GLBA Safeguards Rule we talked about. So with the GLBA Safeguards Rule, there was actually... I mean, that was an existing rule. It was 20 years old. It was promulgated. There's that word again in the 2000s. But the issue we have here is that the existing SEC rules don't actually use the word cyber security anywhere. So these will be new rules as opposed to an update of an existing rule. But the requirements... Oh, this is what the SEC is saying, that the requirements in these new rules really aren't new. And I think in other words that if you're a regulated investment advisor in a fund, that doesn't mean that you don't have to pay attention to cybersecurity right now, it's just not very explicit. And we'll talk a little bit about that.
Kip Boyle: Okay. All right. So we can hit on what the SEC currently requires at the same time that we look at the proposed rule updates. But I don't even think we've in, this is episode 103, and I don't think we've looked at SEC requirements before, have we?
Jake Bernstein : I don't think we have either. And so we're digging into some fresh ground here. And I think it's interesting because the SEC it really plays a very important role in the economy, regulating the exchange and the trade of securities. Currently, they're a big deal. They're all over NFTS and cryptocurrency, which I know are a favorite thing of yours.
Kip Boyle: Yeah. I've been watching that, very interesting crosstalk.
Jake Bernstein : Oh, you have. Mostly criticism, and I agree. But then the SEC's on your side. So I'll just say that.
Kip Boyle: Well, and I kind of want it to be. I mean, I appreciate innovation. I really do; however, I'm also seeing a lot of hucksters and other less than honest people, defrauding folks for the lack of regulation and in the middle of this innovation. So if the people who want NFTs and cryptocurrency and distributed ledgers, blockchains, to succeed, some guardrails I think would be really good.
Jake Bernstein : Yeah. For sure. But that is a separate episode that maybe we could do in the future.
Kip Boyle: Yeah. But let's get on the same page. So this rule would regulate advisors and funds just like you said. But I want to make sure everybody understands what advisors and funds are. So advisors are individuals, or they could also be companies, and they're paid to provide advice to clients about securities, that is, things that they can invest in, like publicly traded stocks. But it also includes bonds and commodities like pork bellies I would assume, and anything else that someone can have in their investment portfolio. So it's pretty broad.
And the SEC regulates any advisor with at least $110 million of client assets under management. And that is not really a high bar for anybody. Anybody who is listening to this episode and you're operating from a distance from the things that we're talking about $110 million under asset management is just not that much. And investment funds are what many of us use for retirement accounts. So mutual funds, EFTs, exchange, traded funds, money market funds. Does anybody have a hedge fund? I don't know. I don't. I got this other kinds though.
Jake Bernstein : Exactly. And just to be clear, under 100 million or below, that just means it's regulated by the states.
Kip Boyle: Ah.
Jake Bernstein : So advisors and funds, just to be clear, there they are regulated separately. There are the two different acts, the two different 1940 acts. Not everything that we're going to say will apply equally to both. I just want to give that disclaimer. We're not aiming for that level of detail. But one detail is absolutely critical, at least with respect to advisors. And that is that advisors are fiduciaries of their clients. And they must act in the best interest of their clients at all times. Specific duties owed, here are the two standard ones; duty of care and duty of loyalty. And what stems from that is that advisors have an obligation to take steps to protect client interests from being placed at risk from any event that would impact the advisor's own ability to provide advisory services. So maybe let's unpack that a bit.
Kip Boyle: Sure. So as we unpack it, I wanted to ask you for a clarification. So advisors are fiduciaries, but funds are not, is that right?
Jake Bernstein : You know, I'm actually going to say I'm not a hundred percent sure. They're different because a fund has money. They're different vehicles. I don't think that they are fiduciaries in the same way that an advisor is.
Kip Boyle: Okay.
Jake Bernstein : As I say, I'm a security lawyer, not a securities lawyer.
Kip Boyle: Okay. All right. Well, if anyone's listening and you can tell us, let us know, send us a note. We'd love to know. But let's go back to the advisors. So advisors are fiduciaries. And so if you think about what that obligation means, I think it could mean that if an advisor's systems gets locked down by a ransomware, then that could be a violation of their due care that they owe to their clients. Is that right?
Jake Bernstein : That is right. And that's very bad for the advisor. Not only is it going to involve potential lawsuits by affected clients, but also it'll definitely invite regulatory scrutiny. And so we're looking at this 243-page document and the SEC spends a fair amount of time discussing what advisors must already do with respect to cyber security. And what it says is that advisors must take steps to minimize operational and other risks that could lead to significant business disruptions or a loss or misuse of client information. That sounds a little bit like cyber security to me. And in other words, the SEC here says, "Look advisors and funds, you already have these duties to your clients. And even though the word cyber security doesn't actually appear in any current rule or law, that doesn't mean that you get to just ignore cyber security related risks."
Kip Boyle: Well, yeah. And that's interesting because if they weren't using computers to keep their ledgers and do all that other stuff they still have to protect the information. And so it really all comes down to information.
Jake Bernstein : Well, I do remember when these laws were passed, 1940.
Kip Boyle: They were using ink ledgers.
Jake Bernstein : Probably they would've been. Yes.
Kip Boyle: Yeah. Because that was just on the dawn of business computing. So that makes sense. So that's what the SEC is saying to advisors, but there's a similar line of reasoning that they're applying to funds as well. And in fact, there are other SEC rules that do require advisors and funds to consider cybersecurity. So there's this regulation SP which is very similar to the GLBA Safeguards Rule in some ways, I remember you telling me about this, that it focuses on the adoption of written policies and procedures, and that those have to address administrative technical and physical safeguards to protect customer records, customer information. So that's one. There's another regulation called Regulation SID, and that requires advisors and funds to implement written identity theft programs. Why? Well, to limit identity theft when people compromise financial records. So there's already some here that that talk to cybersecurity, but-
Jake Bernstein : They do. But I think the SEC rightly so, says that even though the current law and these rules do require advisors and funds to pay attention to cybersecurity, the SEC also acknowledges that none of these current rules require advisors or funds to adopt and implement comprehensive cyber security programs. And while some advisors and funds have done so, this is my favorite part, the SEC is "concerned" that many funds have not implemented a reasonably designed cyber security programs. And just FYI, but way of background, and this is cited in the 243-page document, but the SEC over the past decade or so has on several occasions kind of done spot checks, if you will, of cybersecurity programs within their regulated industry and then published reports. And let's just say that you would not get your good student discount if you were someone getting these report cards. So I think that's why the SEC is concerned. They know that people aren't doing this.
Kip Boyle: Yeah. Well, what a flare for understatement.
Jake Bernstein : Yes.
Kip Boyle: They're concerned. All right. So in terms of this episode, though, we wanted to cover some background about how we got here and why the SEC wants to do this, that is update rules. So let's talk about the new rules. What do you think they're going to require?
Jake Bernstein : Okay. So I'm going to start with this nice fact sheet that the SEC supplied alongside its February 9, 2022 press release. There will be a link in the show notes.
Kip Boyle: Yes.
Jake Bernstein : And I'm going to use that to help us summarize the proposed rule. So at a high level, there are basically four items in the proposal. And those requirements will require advisors to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks, that's one. Two is, report significant cybersecurity incidents to the commission on a newly designed form, because the SEC loves forms. Third is, it's going to, and this is more of a, the rule would enhance advisor and fund disclosures related to cybersecurity, risks and incidents. And then finally advisors and funds would have to maintain, make and retain certain cybersecurity related "books and records." And that's books and records is an existing kind of term of art within this industry.
Kip Boyle: I would have to think so, for them to continue to use it. It's quite-
Jake Bernstein : Well, as you said, when this was passed, they were literally using ink ledgers in books.
Kip Boyle: ... Yeah. So those are four really interesting points. The two middle ones though. I think we should briefly touch on those, but let's spend the rest of our time talking about the written policies and procedures, because I'm just fascinated by the books and records thing.
Jake Bernstein : Yeah, me too. And so those two in the middle are a reporting requirement with the SEC form. And that sounds like a good idea in general, but still I think this one's a little trickier than it seems. Right, Kip?
Kip Boyle: Yeah. Definitely. There's so much vaguery here. There's going to need to be a definition of what exactly is a significant cybersecurity incident. That I don't believe is a commonly defined term in any industry, let alone financial services. But I think there's even more that needs to get sorted out in terms of definitions. Reporting obligations, there's a lot of questions there. Like when does the clock start? Like when you've had a significant cyber security incident, what is the start point of that? Do you go back in your digital evidence to the first discovered incident that ultimately cascaded into the thing that made it significant or is it when management finally agrees that there's been an incident? Can you weasel your way around that? I just see that all the time. So there's got to be a lot more clarity here.
And reporting obligations, are their penalties? What are they? Because a lot of people try to sweep this stuff under the rug. I mean, if I don't report it, who's going to know? Kind of thing. So this sounds good right at the top, but once you start digging into it, I think it's difficult. Okay. Having said that, I do think advisors and funds should be required to disclose the cybersecurity risks they face and the incidents that they've experienced. And this is a long running wish that we in the cybersecurity community have. And fortunately, there's actually been some actions towards this.
Just like the National Safety Transportation Board has open investigations whenever there's a major accident, airlines or highways, and root cause is determined and then that information is given out to everybody so that they can to make improvements to avoid that kind of calamity again, especially if there's loss of life. I think, and I think other people believe that we would be better off if that sort of thing happened as well. And so I think it would be good if the SEC would promote that.
But even myself as an individual consumer, I would love to know that advisor A or Fund A, I would like to know that they've carefully identified their cyber risks and that they're reporting on them. And for me, I'm more likely to trust them with my money. So even though there're some issues here, I think it's good.
Jake Bernstein : Yeah. And I agree on both points. I think the, a reporting is important. You're totally right though. The SEC is going to have its hands full writing up a truly effective and useful rule and that'll definitely be something to monitor. So let's, let's dig into the real meet here and go ahead. Let's, let's kick
Kip Boyle: It. Yeah. That's the requirement for written cybersecurity policies and procedures, WISP. We want a written information security program. Is that fair to use that term?
Jake Bernstein : Yep.
Kip Boyle: Okay. So it's got to be written. I struggle with that, that people get so distracted I think, about the fact that it has to be written and they get nervous. And so there's people who will just buy an off the shelf set of policies and procedures, and construct this extremely elaborate window dressing, but they'll never operationalize them. So that just seems like a big waste of money. I talk with customers all the time about not doing it. My recommendation is don't, document anything if all you're going to do is ignore it. I just think there's a lot of peril there. I mean, it makes the auditors go away. But if you ever get into a situation where you're called to account by a regulator or a court of law or something like that, I would think it'd be pretty obvious, pretty fast that nobody ever did anything that was in those policies. And that just seems like a really weak position to be in.
Jake Bernstein : Yeah. And it's really fascinating. In fact, I think you just inadvertently gave me an idea for a future episode, which is the difference between the way that auditors work and the way that regulatory investigations or lawsuits work. The two are really quite different. They serve different purposes.
Kip Boyle: And you see auditors a lot more than you see regulators.
Jake Bernstein : Of course. I mean, a lot of companies, you have to see an auditor every year. So like I said, this is not knocking auditing, this is just pointing out that they serve different purposes and they do different things.
Kip Boyle: Yeah. And I'm actually affirming your point here because in my experience, I think this distinction that you're making is lost on a lot of management, team members. Because like I said, they see auditors all the time, but they don't really encounter regulators and plaintiff's attorneys. So they really haven't had that experience of knowing that it's such a different thing. So I think that would be a good episode.
But I guess as far as the written cybersecurity policies and procedures goes, I just want to say that I do think you should have them, but I just think they should be minimum viable. I think you should write down the very least you can get away with and still be reasonable, but make sure you operationalize that stuff, right. So that's-
Jake Bernstein : Let's unpack that a little bit more. And I'm going off script here, because I think this is a really, really interesting and important point. There's a growing requirement out there for written policies and procedures. In fact, some of the criticism leveled against the recent GLBA update, the GLBA rules update, the Safeguards Rule, was that the written, or I should say the contents of the written policies and procedures were getting a little bit too specific and people were concerned about whether that would reduce flexibility.
And in fact that's accidentally veering back to the script. Every client isn't the same, and needs do vary substantially. And the proposed new rules take that into account or I mean, they will. The proposal itself absolutely discusses the need for flexibility and provides quite a bit of it. And it says how advisors and funds, they can choose to handle their cybersecurity risk internally or through the help of an external party. Hey, I think we know some good folks for that, right?
Kip Boyle: Absolutely.
Jake Bernstein : And in any event, deciding who is responsible is just part of this process. And it would be interesting to come back and discuss the idea of written policies and procedures.
Kip Boyle: Yeah. We should.
Jake Bernstein : As a lawyer, I think I'm heavily biased in favor of things in writing. A big part of that isn't just because... I mean, I'm torn as well. I don't like that people that it becomes a checkbox item, that you're just like, "Oh, I have it in writing," because that's kind of missing the point of the exercise, extremely missing the point of the exercise. But at the same time, my view tends to be, if it's not in writing, it might as well not exist. And I think that's largely true, and we're going to see that in a moment, because the word written comes up quite a bit here.
So Kip, speaking of this process that we just mentioned, what is the first step when developing a comprehensive cybersecurity program?
Kip Boyle: Well, I think you need a risk assessment, right?
Jake Bernstein : That is yes, absolutely.
Kip Boyle: Yeah. Although that's another very squishy a thing to do a risk assessment. There is no universal risk assessment. There's no single risk assessment checklist. In fact, I just finished creating and recently have published on LinkedIn Learning an IT and cybersecurity risk essentials course. So I just spent a ton of time trying to figure out for the purposes of building my course, is there a generalized risk assessment methodology and so forth. And I kind of sort of found one. But anyway, you should definitely go check out my course, if you want to know more. But you need to do a risk assessment. And the SEC's proposed rule would in fact, require advisors and funds to do this periodically. And it even says that they have to assess, categorize, prioritize, love that word, and draft written documentation of the cyber security risks associated with their information systems and the information residing therein. And yes, I quoted that.
Jake Bernstein : You did. Now, prioritize. I'm going to scoot the soap box over to you and invite you to stand up on it because I know that this word matters a lot to you. I think what happens sometimes is, one of our many catch phrases, or this I think is your catchphrase is, infinite risk, finite resources. Is that right?
Kip Boyle: Yeah. That's right. I mean, we all have unlimited risk coming at us, and we all have limited resources. Even the NSA and other parts of the government, which seemingly have unlimited funding, I mean, it's still limited. I mean, look what Edwards Snowden did to the National Security establishment. An organization that you would think would have all the resources that they needed to cover every base and they didn't. And so we have to prioritize. And the question is, how are you prioritizing?
And what I see a lot of our customers do is using means of prioritizing that I think is very, very robust and doesn't create a lot of business value. Like for example, just reacting to what gets printed in the newspaper. Just watching the headlines and, "My gosh, it's just the tip of the iceberg. If you do that, you miss so much." And other people just say, "Well, whatever Microsoft's doing or whatever Cisco is doing," or pick your favorite vendor, they sort of track along with them and that's how they set their priorities. But-
Jake Bernstein : As you say that, I think to myself, gosh, but those companies are so different from most other companies. Their risks are very different.
Kip Boyle: Right. So they're not literally doing what Cisco's doing and Microsoft's doing, they're just buying whatever products these vendors are selling. They're saying, "Well, if this is a product that's being sold by a top tier of vendor of security products, it must be important. And I must have to implement it because everybody else is."
Jake Bernstein : Well, that's a really interesting way to spend your cybersecurity dollars, isn't it? I mean...
Kip Boyle: Oh, I see it all the time. I see it all the time. And I'm not saying it's a totally bankrupt way of doing it, but the point is that if you have a substantial risk and no vendor is selling any product on it, you're going to miss it. You're just going to miss it.
Jake Bernstein : Yeah, that's right. Okay. It's funny. I can already see how that books and records requirement is being built up here. And just to be clear again, the proposal goes into very specific detail, remember 243 pages about this whole risk assessment process and all the goals that it should meet. I'm personally very curious to see what the eventual rule language will include. But why don't you go ahead to the next element here, Kip.
Kip Boyle: Yeah. So the next element of reasonably designed policies and procedures has to do with user security and resource access. And there's five items that they say have to be included. There's first of all, standards of behavior for authorized users, the second is identification and authentication protocols. The third is password management and supportive authentication. The fourth is restricted access based on need to know and limited access principals. And then the final, the fifth one is secure protocols for remote access to the advisor or the funds information systems. I like that. That's all reasonable. There's a little squishiness in there.
Jake Bernstein : And there is. There's always going to be squishiness. And that's really the challenge here, is, even though those five points seem or at least could seem pretty squishy, I can also see how some people might complain that even that is too much of a requirement. Like, what if we never use passwords? But of course at the same time, the full phrase is talking really about just supporting authentication. The SEC's going to have work to do here as they move toward actual final language. They're going to want to avoid specifying technologies, techniques, things like that, and really focus on concepts and principles that I think are less likely to expire.
Kip Boyle: Right. In other words, don't go in the same direction as the payment card industry's data security standard, which is extremely specific and becomes stale very fast. And they're not always quick to update that stuff.
Jake Bernstein : Yup.
Kip Boyle: But anyway, that's that element. Now, there's another category of information protection. More vagaries, right?
Jake Bernstein : Yeah, it is. And it's interesting because even though the SEC spilled about two and a half pages of digital ink on it, that's where really a very small percentage of the total. And this is a pretty major part.
Kip Boyle: So 1%.
Jake Bernstein : Yeah. What I interpreted it as, is really the protect function of the NIST cybersecurity framework. And I think what that means is monitoring systems, classifying sensitivity of information, IDS/IPS technologies, et cetera. It really does seem like the section is a little bit less well developed at this point, but that's okay. I think the SEC has plenty of time to clarify this stuff.
Kip Boyle: Huh. I hope that they don't try to reinvent the wheel here. It would really be nice if they would just incorporate NIST CSF by reference or something like that. I mean, definitely crosstalk-
Jake Bernstein : Well, they certainly cite to it a lot. If you peruse the footnotes in this 243-page document, the CSF800 SPA800-53, all that good stuff comes up a lot. So they're clearly onboard and aware of it. So we'll see. We'll see what they end up to doing.
Kip Boyle: ... Yeah. Interesting. So for those of you who are in this area, a fund or an advisor, and you're thinking, "Maybe I should check out this NIST CSF thing." If you haven't already, well, guess what, I've been really busy lately, and I have another course that you could go and get. This one's not on LinkedIn Learning though, it's on Udemy. You can go to Udemy and you can find my implementing this CSF course. It just was released and I think it turned out really, really well. But yeah, you should go check it out. Tell me what you think. I'd love to hear some feedback.
Okay. Back to the SEC. There's only two more sections of the policies and procedures. Section one is threatened vulnerability management, which that's good. And then incident response and recovery is the other one. They really do need to incorporate NIST to flesh all this out. And there's an opportunity to guide them. They want feedback, don't they?
Jake Bernstein : They do. I think there's 40 plus questions overall. Maybe even more than that throughout the 243-page procedure or proposal, rather. So they really are looking for help here. So getting ready to wrap this up. So the record keeping, which is the books and records requirement really it's fairly straightforward. Advisors and funds must keep copies of their cybersecurity policies and procedures, but they also have to maintain copies of any of the annual reports, that document, the annual review of cybersecurity policies and procedures. That's something that's in there. Copies of that new form. They're calling it ADV-C. I have no idea what that stands for or why, but that's the reporting requirement. And then records that fully document any cybersecurity incident over the last five years. So just FYI that's an interesting requirement, not so much because it's a requirement, but just because I like how it specifies the duration, it really means that if you've got a records' retention policy and you're regulated here. Make sure that you keep this stuff for at least five years.
And then the last one is records documenting the advisor's risk assessment over the last five years. And just to be clear, funds all have similar requirements. So there you go. That is a distillation in about 35 minutes of the entire 243-page SEC proposal.
Kip Boyle: Wow. Okay. If anybody was planning to read it, now you don't have to, now you know. But I want to ask you a question about the second to last copy requirement, where it was records that fully document any cybersecurity incident over the last five years. I know from talking to you and working with you, that attorney client privilege could apply to those kinds of records and even the risk assessments. So how would that be navigated if an advisor or a fund was using legal advice to do those incidents and those risk assessments. So how does that work?
Jake Bernstein : That's a good question. I think that these kinds of requirements basically mean that those types of documentation are just outside the scope of attorney-client privilege. In other words, there's a specific requirement here that you have these records. What exactly the records will require, whether they include privileged material, that's question for someone who's more generally familiar with the SEC itself and the way it regulates. All of that will eventually kind of come to light, but that's a good question. It remains to be seen.
Kip Boyle: Yeah. Well, it certainly comes up in our work. That's for sure. Oh this, my work is never boring. I'll tell you that. Stuff's always changing. And it's never ending. I mean, Here it is 2022, and we've got one of the most well recognized national agency regulators out there, the SEC, just now really thinking about specifically talking about cybersecurity. I mean, it's pretty fascinating if you think about it, how one of the reasons that they're doing this is that, like I said, at the beginning, none of the SEC's current rules use the phrase cybersecurity. It's just not there. Which is almost crazy given how much we rely upon stock markets and things like that to really have such an impact on the economy.
Yeah, absolutely. This has been great. Any final words?
Jake Bernstein : No, I don't have any final words.
Kip Boyle: Amazing.
Jake Bernstein : It is amazing. I think that there's just a lot that remains to be seen here.
Kip Boyle: Yeah. But this is your sneak peek. So, all right. That wraps it up then this episode of the Cyber Risk Management Podcast. Today, we discussed the Security and Exchange Commission's proposal for new cybersecurity risk management rules that will apply to investment advisors and investment companies. Thanks everybody. We'll see you next time.
Jake Bernstein : See you next time.
Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle, that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.
Sign up to receive email updates
Enter your name and email address below and I'll send you periodic updates about the podcast.
Cyber Risk Opportunities
Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).
K&L Gates LLC
Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.