EPISODE 122
 

Best Episode of 2022

EP 122: Best Episode of 2022

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

January 3, 2023

What’s our “best episode” of 2022? This one had the highest number of downloads. Let’s find out which one it was with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Tags:

Episode Transcript

Kip: Hi, and welcome to episode 122 of the Cyber Risk Management Podcast. Jake and I were recently reviewing the performance stats of the podcast because we wanted to know which of the episodes was most popular in 2022. But one of the frustrating things about podcasting is there's no single place you can go to get a full picture of who's listening and what they're listening to. So we tried our best to assemble a complete view by visiting several different websites that do offer some statistics. What we ended up with was a multifaceted view of what happened over the past 12 months. But one thing stood out, which is we do have a favorite episode, or I should say you have a favorite episode, and that was episode 103, which is called, SEC's proposed Rules for Cyber Risk Management. But it's not number one by much.

It only has 2% more downloads than our second most popular episode and that second most popular episode is only ahead of our third most popular episode by 3%. So for whatever it's worth, what we learned was that our top five episodes are only separated by a few percentage points each and what we think that means is that you are listening to every episode we publish and not just your favorite topics. And Jake and I are very grateful to you for that. So in honor of our top episode for 2022, you're about to hear a replay of episode 103, and even though it was published in the spring of 2022, it's still very fresh. So Jake and I hope that you enjoy this best of the Cyber Risk Management podcast episode, and we'll have a whole new year's worth of episodes for you in 2023. Happy Holidays.

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities, and Jake Bernstein, partner at the law firm of K&L Gates. Visit them cr-map.com and KLgates.com.

Kip: Hi Jake, what are we going to talk about today?

Jake: Hey, Kip. Today we're going to continue our exploration of administrative agencies updating rules related to cybersecurity. Today we have the SEC's proposed rules that they are calling "Cybersecurity risk management for investment advisors, registered investment companies, and business development companies."

Kip: Okay. The SEC, that's the Securities and Exchange Commission here in the United States. Now, when I think of the SEC, I think of publicly traded companies, but I guess what you're saying to me is that's not the only type of firm they regulate, right?

Jake: That's correct. It's not. The SEC also regulates registered investment advisors and investment companies, which we're going to call Funds, under the Investment Advisors Act of 1940 and the Investment Company Act of 1940. So these are old, I mean, these are 80 year old laws and... Wait, I did that wrong. 60. They are... No, wait, I am right. It is 80 year old. Wow, okay. 80 year old laws here. And anyway, these new rules, in short, require advisors and funds to "Adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks." Sounds pretty familiar, doesn't it?

Kip: Yeah, it's super familiar. And boy, couple things come to mind. The first thing is, as old as these laws seem to be, at least they're not as old as the laws that Abraham Lincoln signed that we're still updating. So that's good.

Jake: Yes, that refers to the False Claims Act that we talked about several episodes ago.

Kip: Yeah, a few episodes, a few episodes ago. I think maybe there was only one other time that we ever delved into really, really deep history for something, but I kind of remember we did one time when legal precedent, common law and, anyway. So here we are looking again at laws that are being updated to be more applicable to the modern world, starting to sound like a bit of a broken record, right?

Jake: Yeah, we kind of are. And we also very recently discussed the FTCs revisions to the safeguards rule under the Gramm-Leach-Bliley Act, actually just in episode 101, which was only two episodes ago. Now, the difference is that the FTC had been working on the updates to that rule revision for years. However, in this case, we're looking at the result of the Biden Administration's Cybersecurity executive order, which we actually discussed in episode 93, which was 10 episode ago.

Kip: Yeah. So it looks like there's... It's not us being a broken record, and for those of you who don't know what that means, a broken record, I'm talking about vinyl. I'm not talking about breaking a world record in how repetitive a podcast can get.

Jake: Or you might want to also... I think these days a broken record might be like, "Oh, what's wrong with the database table?"

Kip: That's right. That's right. Oh boy. Okay. So it looks like that's the big theme of the US government right now is trying to modernize. Well, better late than never, I suppose.

Jake: And just to be clear, for those lawyers listening, these are proposed rules under the investment, the two 1940 acts, we're not actually... No one's actually updating the acts themselves.

Kip: Okay. All right. Yes. Thank you for being specific. I'm being way too general when I say that.

Jake: Way too general.

Kip: Way too general. Okay. Okay. So you mentioned the Biden Administration's executive order on cybersecurity, and so yeah, listeners go back to episode 93 if you want to unpack that, if you happen to have missed it. But that one said that federal agencies needed to evaluate the need for new rulemaking. And so here's another example of that, but it's not done. This SEC rule is just at the beginning of its updating process. Is that right, Jake?

Jake: Yeah, it is and in fact, it's so at the beginning of the process that there isn't even rule text yet. This is a proposal that really is very... It's descriptive. There's a lot of detail which we'll talk about, but it is not... This is the very, very beginning, so there's going to be several different periods for public comment, discussion, things like that. These types of rule making procedures are not fast.

Kip: But there's something available so we can take a look at what they've published and maybe guess a little bit at what the rules might say.

Jake: Yeah. And I know we don't need to overstate how much we need to guess. I mean, the SEC has published a 243-page document describing these proposed rules and the justifications for all of the changes and all of the Paperwork Reduction Act stuff that goes into that. It's a 243-page document. And so obviously we're not going to hit on every single point in that document.

Kip: I love the way you undersold that. "Oh, they haven't released much yet."

Jake: Well, so they haven't released the text of the actual rules, because it doesn't exist yet.

Kip: I can't wait until they do. 243 pages, what does it look... How big does it get when it's actually texted out?

Jake: Well, probably actually a lot shorter in this case. The rules themselves are going to be a fraction of that. But anyway, this is very much a proposal, like I said, multiple opportunities for comments, et cetera.

Kip: Okay. Well, that's good. So if people are going to be directly affected by this, that's encouraging, you still have an opportunity to tell the regulators what you think? Do they have a history of listening to feedback like this, Jake?

Jake: Oh, very much so. In fact, they have to. The way that the administrative rule making process works, and we don't need to go into detail about the Administrative Procedures Act, but basically-

Kip: I think we have in the previous episode.

Jake: I think we have to some degree, but there has to be support for changes in the administrative record. I think I mentioned arbitrary and capricious, you can't be arbitrary and capricious as a administrative agency. So you can't just make things up and do what you want, you have to actually have a record upon which to base your administrative action.

Kip: Okay. And because these are updated rules, that implies directly that there's existing rules. And so one of the reasons that you convinced me to do another episode on federal agency rule making is so that we could maybe look at the existing rules a little bit.

Jake: And no, there is a key difference between this proposal and the GLBA safeguards rule we talked about. So with the GLBA safeguards rule, there was actually... I mean, that was an existing rule. It was 20 years old. It was promulgated, there's that word again, in the 2000s. But the issue we have here is that the existing SEC rules don't actually use the word "Cybersecurity" anywhere. So these will be new rules as opposed to an update of an existing rule, but the requirements, this is what the SEC is saying, so that the requirements in these new rules really aren't new. And I think in other words, that if you're a regulated investment advisor in a fund, that doesn't mean that you don't have to pay attention to cybersecurity right now. It's just not very explicit and we'll talk a little bit about that.

Kip: Okay. All right. So we can hit on what the SEC currently requires at the same time that we look at the proposed rule updates. But I don't even think we've... This is episode 103, and I don't think we've looked at SEC requirements before, have we?

Jake: I don't think we have either and so we're digging into some fresh ground here. And I think it's interesting because the SEC, it really plays a very important role in the economy, regulating the exchange and the trade of securities. Currently, they're a big deal. They're all over NFTs and cryptocurrency, which I know are a favorite thing of yours.

Kip: Yeah. I've been watching that. Very interesting.

Jake: Yes you have. Mostly criticism, and I agree, but the SEC's on your side, so I'll just say that.

Kip: Well, and I want it to be. I mean, appreciate innovation, I really do, however, I'm also seeing a lot of hucksters and other less than honest people, defrauding folks for the lack of regulation and in the middle of this innovation. So if the people who want NFTs and cryptocurrency and distributed ledgers, blockchains to succeed, some guardrails, I think would be really good.

Jake: Yeah, for sure. But that is a separate episode that maybe we could do in the future.

Kip: Yeah, yeah. Okay. But let's get on the same page. So this rule would regulate advisors and funds, just like you said, but I want to make sure everybody understands what advisors and funds are. All right. So advisors are individuals, or they could also be companies, and they're paid to provide advice to clients about securities. That is things that they can invest in publicly traded stocks, but it also includes bonds and commodities like pork bellies, I would assume, and anything else that someone can have in their investment portfolio. So it's pretty broad and the SEC regulates any advisor with at least $110 million of client assets under management and that is not really a high bar. For anybody who is listening to this episode and you're operating from a distance from the things that we're talking about, $110 million under asset management is just not that much. And investment funds are what many of us use for retirement accounts. So mutual funds, EFTs, exchange traded funds, money market funds. Does anybody have a hedge fund? I don't know. I don't. I got those other kinds though.

Jake: Exactly. And just to be clear, it's under $100 million or below, or that just means it's regulated by the states. So advisors and funds, just to be clear there, they are regulated separately, there are the two different acts, the two different 1940 acts. Not everything that we're going to say will apply equally to both. I just want to give that disclaimer, we're not going to try... We're aiming for that level of detail. But one detail is absolutely critical, at least with respect to advisors, and that is that advisors are fiduciaries of their clients, and they must act in the best interest of their clients at all times. Specific duties owed here are the two standard ones, duty of care and duty of loyalty. And what stems from that is that advisors have an obligation to take steps to protect client interests from being placed at risk from any event that would impact the advisor's own ability to provide advisory services. So maybe let's unpack that a bit.

Kip: Sure, sure, sure, sure. Okay. But before, okay. So as we unpack it, I wanted to ask you for a clarification. So advisors are fiduciaries, but funds are not? Is that right?

Jake: I'm actually going to say I'm not 100% sure. They're different because a fund is not... A fund has money, they're different vehicles. I don't think that they are fiduciaries in the same way that an advisor is but I'm not a securities... As I say, I'm a security lawyer, not a securities lawyer.

Kip: Okay. All right. Well, if anyone's listening and you can tell us, let us know, send us a note, we'd love to know. But let's go back to the advisors, so advisors are fiduciaries and so if you think about what that obligation means, I think it could mean that if an advisor's systems gets locked down by a ransomware, then that could be a violation of their due care that they owe to their clients. Is that right?

Jake: That is right and it's very bad for the advisor. Not only is it going to involve potential lawsuits by affected clients, but also it'll definitely invite regulatory scrutiny. And so we're looking at this 243-page document, and the SEC spends a fair amount of time discussing what advisors must already do with respect to cybersecurity. And what it says is that advisors must take steps to minimize operational and other risks that could lead to significant business disruptions or a loss or misuse of client information. That sounds a little bit like cybersecurity to me. And in other words, the SEC here says, "Look advisors and funds, you already have these duties to your clients and even though the word 'cybersecurity' doesn't actually appear in any current rule or law, that doesn't mean that you get to just ignore cybersecurity related risks."

Kip: Well, yeah. And that's interesting because if they weren't using computers to keep their ledgers and do all that other stuff, they still have to protect the information so it really all comes down to information.

Jake: Well, do you remember when these laws were passed in 1940-

Kip: They were using ink ledgers.

Jake: They would've been, yes.

Kip: Yeah. Because that was just on the dawn of business computing, so yeah, that makes sense. Okay. So that's what the SEC is saying to advisors, but there's a similar line of reasoning that they're applying to funds as well. And in fact, there are other SEC rules that do require advisors and funds to consider cybersecurity. So there's this regulation SP, which is very similar to the GLBA safeguards rule in some ways, I remember you telling me about this, that it focuses on the adoption of written policies and procedures and that those have to address administrative, technical and physical safeguards to protect customer records, customer information. So that's one. There's another regulation called regulation SID, and that requires advisors and funds to implement written identity theft programs. And why? Well, to limit identity theft when people compromise financial records. So there's already some rules here that talk to cybersecurity, but-

Jake: They do. But I think the SEC rightly so, says that even though the current law and these rules do require advisors and funds to pay attention to cybersecurity, the SEC also acknowledges that none of these current rules require advisors or funds to adopt and implement comprehensive cybersecurity programs. And while some advisors and funds have done so, this is my favorite part, the SEC is "Concerned that many funds have not implemented a reasonably designed cybersecurity programs." And just FYI, by way of background, and this is cited in the 243-page document, but the SEC over the past decade or so has on several occasions done spot checks, if you will, and then of cybersecurity programs within their regulated industry and then published reports and let's just say that this is not... You would not get your good student discount if you were someone getting these report cards. So I think that's why the SEC is concerned. They know that people aren't doing this. Yeah.

Kip: Well, what a flare for understatement.

Jake: Yes.

Kip: They're concerned. All right. All right. So in terms of this episode though, we wanted to cover some background about how we got here and why the SEC wants to do this, that is update rules. So let's talk about the new rules. What do you think they're going to require?

Jake: Okay, so I'm going to start with this nice fact sheet that the SEC supplied alongside its February 9th, 2022 press release. There will be a link in the show notes.

Kip: Yes, please.

Jake: And I'm going to use that to help us summarize the proposed rules. So at a high level, there are basically four items in the proposal and those requirements will require advisors to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks. That's one. Two is, report significant cybersecurity incidents to the commission on a newly designed form because the SEC loves forms. Third is, it's going to, and this is more of the rule, would enhance advisor and fund disclosures related to cybersecurity risks and incidents. And then finally, advisors and funds would have to maintain, make, and retain certain cybersecurity related "Books and records." And books and records is an existing term-of-art within this industry.

Kip: I would have to think so. For them to continue to use it's-

Jake: As you said, when this was passed, they were literally using ink ledgers in books.

Kip: Yeah. Yeah. Yeah. Okay. So those are four really interesting points. The two middle ones though, I think we should briefly touch on those, but let's spend the rest of our time talking about the written policies and procedures because I want to... I'm just fascinated by the books and records thing.

Jake: Yeah, me too. And so those two in the middle are a reporting requirement with the SEC forum and that sounds like a good idea in general, but still, I think this one's a little trickier than it seems, right Kip?

Kip: Mm-hmm. Yeah, yeah, definitely. So there's much vaguery here. There's going to need to be a definition of what exactly is a significant cybersecurity incident. That, I don't believe is a commonly defined term in any industry, let alone financial services. But I think there's even more that needs to get sorted out in terms of definitions. Reporting obligations, there's a lot of questions there, like when does the clock start? When you've had a significant cybersecurity incident, what is the start point of that? Do you go back in your digital evidence to the first discovered incident that ultimately cascaded into the thing that made it significant? Or is it when management finally agrees that there's been an incident? Can you weasel your way around that? I mean, I just see that all the time. So there's got to be a lot more clarity here and reporting obligations, are there penalties? What are they?

Because a lot of people try to sweep the stuff under the rug, right? I mean, if I don't report it, who's going to know kind of thing. So this sounds good at the top, but once you start digging into it, I think it's difficult. Having said that, I do think advisors and funds should be required to disclose the cybersecurity risks they face and the incidents that they've experienced. This is a long running wish that we in the cybersecurity community have and fortunately, there's actually been some actions towards this, just like the National Safety Transportation Board has open investigations whenever there's a major accident in airlines or highways and root cause is determined, and then that information is given out to everybody so that they can make improvements to avoid that kind of calamity again, especially if there's loss of life.

And I think and I think other people believe that we would be better off if that sort of thing happened as well. And so I think it's would be good if the SEC would promote that. But even myself as an individual consumer, I would love to know that advisor A or fund A, I would like to know that they've carefully identified their cyber risks and that they're reporting on them and for me, I'm more likely to trust them with my money. Yeah, I mean, even though there's some issues here, I think it's good.

Jake: And I agree on both points. I think the reporting is important. You're totally right, though the SEC is going to have its hands full, writing up a truly effective and useful rule. And that'll definitely be something to monitor. So let's get into the real meat here and go ahead. Let's kick it off.

Kip: That's the requirement for written cybersecurity policies and procedures and WISP. We want a written information security program. Is that fair to use that term?

Jake: That's right. Yep.

Kip: Okay. So it's got to be written and you know I struggle with that. People get so distracted, I think about the fact that it has to be written and they get nervous. And so there's people who will just buy an off-the-shelf set of policies and procedures and construct this extremely elaborate window dressing, but they'll never operationalize them and so that just seems like a big waste of money. I talk with customers all the time about not doing it. My recommendation is don't document anything if all you're going to do is ignore it, I just think that's... There's a lot of peril there. I mean, it makes the auditors go away but if you ever get into a situation where you're called to account by a regulator or a court of law or something like that, I mean, I would think it'd be pretty obvious pretty fast that nobody ever did anything that was in those policies and that just seems like a really weak position to be in.

Jake: Yeah, and it's really fascinating. In fact, I think you just inadvertently gave me an idea for a future episode, which is the difference between the way that auditors work and the way that regulatory investigations or lawsuits work. The two are really quite different. They serve different purposes.

Kip: And you see auditors a lot more than you see-

Jake: I mean, oh, of course. Yeah. A lot of companies, you have to see an auditor every year. So like I said, this is not knocking auditing, this is just pointing out that there are different... They serve different purposes and they do different things.

Kip: And I'm actually affirming your point here because in my experience, I think this distinction that you're making is lost on a lot of management team members because like I said, they see auditors all the time, but they don't really encounter regulators and plaintiff's attorneys. So they really haven't had that experience of knowing that it's such a different thing. So yeah, I think that would be a good episode but I guess as far as the written cybersecurity policies and procedures goes, I just want to say that I do think you should have them, but I just think they should be minimum viable. I think you should write down the very least, you can get away with and still be reasonable. But make sure you operationalize that stuff.

Jake: And let's unpack that a little bit more, and I'm going off script here because I think this is a really, really interesting and important point. There's a growing requirement out there for written policies and procedures, and you're... In fact, some of the criticism leveled against the recent GLBA update, the GLBA rules update, the safeguards rule, was that the written, or I should say the contents of the written policies and procedures were getting a little bit too specific and people were concerned about whether that would reduce flexibility. And in fact, that's accidentally veering back to the script. Every client isn't the same and needs do vary substantially and the proposed rules take that into account, or I mean they will. The proposal itself absolutely discusses the need for flexibility and provides quite a bit of it and it says how advisors and funds can choose to handle their cybersecurity risk internally or through the help of an external party. Hey, I think we know some good folks for that, right?

Kip: Absolutely.

Jake: And in any event, deciding who is responsible is just part of this process. And it would be interesting to come back to and discuss the idea of written policies and procedures.

Kip: Yeah. We should.

Jake: As a lawyer, I think I'm heavily biased in favor of things in writing and a big part of that isn't just because... I mean, I'm torn as well, I don't like that people, that it becomes a checkbox item, that you're just like, "Oh, I have it in writing." Because that's missing the point of the exercise and I mean, extremely missing the point of the exercise. But at the same time, my view tends to be, if it's not in writing, it might as well not exist. And I think is that's largely true and we're going to see that in a moment because the word "Written" comes up quite a bit here. So Kip, speaking of this process that we just mentioned, what is the first step when developing a comprehensive cybersecurity program?

Kip: Well, I think you need a risk assessment, right?

Jake: That is, yes, absolutely.

Kip: Yeah. Although that's not... That's another very squishy thing to do, a risk assessment. There is no universal risk assessment. There's no single risk assessment checklist. In fact, I just finished creating and recently have published on LinkedIn Learning an IT and Cybersecurity Risk Essentials course. So I just spent a ton of time trying to figure out, for the purposes of building my course, is there a generalized risk assessment methodology and so forth? And I kind of found one but anyway, you should definitely go check out my course if you want to know more, but you need to do a risk assessment and the SEC's proposed rule would, in fact, require advisors and funds to do this periodically. And it even says that they have to "Assess, categorize, prioritize," love that word, "And draft written documentation of the cybersecurity risks associated with their information systems and the information residing therein." And yes, I quoted that.

Jake: You did. Yeah. Now prioritize, I'm going to scoot the soapbox over to you and invite you to stand up on it because I know that this word matters a lot to you. Because I mean, I think what happens sometimes is one of our many catchphrases, or this is I think is your catchphrase is, infinite risk, finite resources.

Kip: Yeah.

Jake: Is that right?

Kip: Yeah, that's right. I mean, we all have unlimited risk coming at us, and we all have limited resources. Even the NSA and other parts of the government, which seemingly have unlimited funding. I mean, it's still limited. I mean, look what Edwards Snowden did to the National Security Establishment, an organization that you would think would have all the resources that they needed to cover every base, and they didn't. And so we have to prioritize, and the question is, how are you prioritizing? And what I see a lot of our customers do is using means of prioritizing that I don't think is very, very robust and doesn't create a lot of business value. For example, just reacting to what gets printed in the newspapers, just watching the headlines and my gosh, it's just the tip of the iceberg. If you do that, you miss so much and other people just say, "Well, whatever Microsoft's doing, or whatever Cisco is doing." Pick your favorite vendor and they track along with them and that's how they set the priorities.

Jake: And as you say that, I think to myself, "Gosh, but those companies are so different from most other companies." Their risks are very different.

Kip: Right. Well, so they're not literally doing what Cisco's doing and Microsoft's doing, they're just buying whatever products these vendors are selling. They're saying, "Well, if this is a product that's being sold by a top tier vendor of security products, it must be important and I must have to implement it because everybody else is."

Jake: Well, that's a real interesting way to spend your cybersecurity dollars, isn't it?

Kip: Oh, I see it all the time. I see it all the time. And I'm not saying it's a totally bankrupt way of doing it but the point is that if you have a substantial risk and no vendor is selling any product on it, you're going to miss it. You're just going to miss it.

Jake: Yeah, no, that's right. Okay. It's funny, I can already see how that books and records requirement is being built up here. And I want to make, just to be clear, again, the proposal goes into very specific detail in a number of 243 pages about this whole risk assessment process and all the goals that it should meet. I'm personally very curious to see what the eventual rule language will include but why don't you go ahead to the next element here, Kip?

Kip: Yeah. Yeah. So the next element of reasonably designed policies and procedures has to do with user security and resource access and there's five items that they say have to be included. There's first of all, standards of behavior for authorized users. The second is identification and authentication protocols. The third is password management in support of authentication. The fourth is restricted access based on need to know and limited access principles. And then the final, fifth one is secure protocols for remote access to the advisor or the fund's information systems. Yeah, I like that. That's all reasonable. There's a little squishiness in there.

Jake: There is and there's always going to be squishiness. And that's really the challenge here is even though those five points seem, or at least could seem pretty squishy, I can also see how some people might complain that even that is too much of a requirement. "What if we never use passwords?" But of course, at the same time, really the actual full phrase is talking really about just supporting authentication. So the SEC's going to have work to do here, as they move toward actual final language, they're not going to... They're going to want to avoid specifying technologies, techniques, things like that, and really focus on concepts and principles that I think are less likely to expire.

Kip: Right, in other words, don't go in the same direction as the payment card industry's data security standard, which is extremely specific and becomes stale very fast and they're not always quick to update that stuff. But anyway, that's that element. Now there's another category of information protection, more vagaries, right?

Jake: Yeah, it is. And it's interesting because even though the SEC spilled about two and a half pages of digital ink on it, that's really a very small percentage of the total, right? And this is a pretty major part.

Kip: So 1%.

Jake: What I interpret it as is really the protect function of the NIST cybersecurity framework. And I think what that means is monitoring systems, classifying sensitivity of information, IDS, IPS technologies, et cetera. It really does seem like the section is a little bit less well developed at this point. But that's okay. I think the SEC has plenty of time to clarify this stuff.

Kip: I hope that they don't try to reinvent the wheel here. It would really be nice if they would just incorporate NIST CSF by reference or something like that. I mean, that would really help.

Jake: They certainly cite to it a lot. If you peruse the footnotes in this 243-page document, the CSF 800, SP 800-53, all that good stuff comes up a lot. So they're clearly on board and aware of it. So we'll see what they end up doing.

Kip: Yeah, interesting. Okay, so for those of you who are in this area, a fund or an advisor, and you're thinking, "Maybe I should check out this NIST CSF thing," if you haven't already. Well, guess what? I've been really busy lately, and I have another course that you could go and get. This one's not on LinkedIn Learning though, it's on Udemy. You can go to Udemy and you can find my Implementing NIST CSF course. It just was just released, I think it turned out really, really well. But yeah, you should go check it out, tell me what you think. I'd love to hear some feedback back to the SEC, there's only two more sections of the policies and procedures. Section one is threat and vulnerability management, which that's good. And then incident response and recovery is the other one. They really do need to incorporate NIST to flesh all this out and there's an opportunity to guide them. They want feedback, don't they?

Jake: They do. I mean there's almost, I think there's 40 plus questions overall, maybe even more than that throughout the 243-page procedure or proposal rather so they really are looking for help here. Getting ready to wrap this up. So the record keeping, which is the books and records requirement, really, it's fairly straightforward. Advisors and funds must keep copies of their cybersecurity policies and procedures, but they also have to maintain copies of any of the annual reports that document the annual review of cybersecurity policies and procedures. That's something that that's in there. Copies of that new form, they're calling it ADV-C, I have no idea what that stands for or why but that's the reporting requirement.

And then records that fully document any cybersecurity incident over the last five years. So just FYI, that's an interesting requirement. Not so much because it's a requirement just, but because I like how it specifies the duration. It really means that if you've got a records retention policy and you're regulated here, make sure that you keep this stuff for at least five years. And then the last one is, records documenting the advisor's risk assessment over the last five years and just to be clear, funds all have similar requirements. So there you go. That is a distillation in about 35 minutes of the entire 243-page SEC proposal.

Kip: Wow. If anybody was planning to read it now you don't have to, now you know, but I wanted to ask you a question about the second to last copy requirement where it was records that fully document any cybersecurity incident over the last five years. I know from talking to you and working with you, that attorney-client privilege could apply to those kinds of records and even the risk assessments. So how would that be navigated if an advisor or a fund was using legal advice to do those incidents in those risk assessments? How does that work?

Jake: That's a good question. I think that these requirements basically mean that those types of documentation are just an outside the scope of attorney-client privilege. In other words, there's a specific requirement here that you have these records. What exactly the records will require, whether they include privileged material, that's a question for someone who's more generally familiar with the SEC itself and the way it regulates. All of that will eventually come to light. But that's a good question. It remains to be seen.

Kip: Well, it certainly comes up in our work for sure. So my work is never boring, I'll tell you that. Stuff's always changing.

Jake: No, and it's never ending. I mean, here it is 2022 and we've got one of the most well recognized national agency regulators out there, the SEC just now really thinking about specifically talking about cybersecurity. I mean, it's pretty fascinating if you think about it, how one of the reasons that they're doing this is that, like I said at the beginning, none of the SEC's current rules use the phrase "Cybersecurity." It's just not there. Which is almost crazy given how much we rely upon stock markets and things like that too, that really have such an impact on the economy.

Kip: Yeah, absolutely. Absolutely. Okay. This has been great. Any final words?

Jake: No, I don't have any final words.

Kip: Amazing.

Jake: It is amazing. I think that there's just a lot that remains to be seen here.

Kip: Yeah, yeah. But this is your sneak peek. So, all right, that wraps it up then this episode of the Cyber Risk Management Podcast. Today we discussed the Security and Exchange Commission's proposal for new cybersecurity risk management rules that will apply to investment advisors and investment companies. Thanks everybody. We'll see you next time.

Jake: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.