SEC Proposed Rule Includes New 48-Hour Cyber Incident Reporting Requirement
In February 2022, the Securities and Exchange Commission (SEC) released proposed Rule 206(4)-9, which includes a range of new requirements for organizational cybersecurity practices and cyber incident reporting. While the rule is not yet solidified, it provides valuable insight into the intentions of the SEC and what can be expected for Registered Investment Advisers (RIAs) and private funds in the near future.
While the proposed rule, if enacted in its current form, will have implications for cybersecurity policies and programs at impacted firms, one aspect of the rule that is getting particular attention is the new cyber incident reporting requirement that the rule would establish. According to the proposed rule, RIAs and private funds must now submit a confidential report to the SEC within 48 hours from when a “significant cyber incident” is discovered.
Significant cyber incident reporting window is now 48 hours
The new reporting requirement instructs registered investment advisers and private funds to confidentially report a significant cyber incident to the SEC within 48 hours. The 48-hour timer begins once advisers have a reasonable basis to conclude that an incident has occurred/is occurring. This shift in the reporting requirement is significant because it does not require definitive evidence of an incident prior to submitting a report. Instead, RIAs and private funds must file a report based on reasonable assumptions. While 48 hours is a fast turnaround time, it is worth noting that a cyber incident does not need to be resolved within 48 hours, it simply needs to be reported within that timeframe.
When RIAs/private funds need to submit a cyber incident report
The SEC defines a “significant cyber incident” as:
“A cybersecurity incident, or a group of related incidents, that significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in: (1) substantial harm to the adviser, or (2) substantial harm to a client [including a private fund], or an investor in a private fund, whose information was accessed.”
If an incident meets any of the criteria in the above definition, the next step would be to fill out Form ADV-C, which will be filed electronically with the SEC through the Investment Adviser Registration Depository (IARD) platform. Once a report is filed, Form ADV-C must also be updated within 48 hours if/when information about the incident becomes outdated.
Form ADV-C must also be updated within 48 hours when:
- Any information on the form becomes materially inaccurate
- New information about a previously filed incident report is discovered
- A previous incident has been resolved
- An internal investigation regarding the reported incident has concluded
Faster incident reporting and updating the SEC on pertinent information will aid in identifying and containing breaches to better protect organizations and investors alike.
Implications
The proposed rule largely focuses on the reporting efforts for cyber incidents, rather than the depth of information of the report. Therefore, in order to abide by the 48-hour reporting window, the initial information submitted about a cyber incident will likely be high-level. The first report will alert the SEC of an incident, while the subsequent reports will update and refine information as the firm discovers new relevant details. Because any person can discover a cyber incident, employees and executives alike must have streamlined reporting communication practices in place to ensure timely and accurate reporting.
Further, submitting a cyber incident report to the SEC is not synonymous with a firm having a poor cyber security program. Some may fear that reporting a cyber incident would flag their firm for the SEC to further investigate, however, hiding a breach is not a viable option. Firms can learn from a former head of security, who was found guilty of obstruction of justice for hiding a breach in 2016 and now faces up to eight years in prison. Confidentially disclosing breaches to the SEC will help firms be proactive in their response programs and alert the SEC of any alarming industry trends, which will benefit all parties involved in both the short and long term.
Takeaways
The SEC is continuing to focus on cybersecurity policy and reporting alongside the existing cyber exam requirements. This means that firms’ approaches to cybersecurity should not only include policies and procedures to prevent breaches, but firms should also establish plans to quickly escalate and report incidents to the SEC. Although the proposed rule may seem daunting, early preparation can help. While waiting until the rule is finalized in order to start preparing may be tempting, regardless of the final details within the rule, the SEC is looking to prioritize these areas in the near future and organizations have the opportunity to change with the SEC rather than scrambling to catch up afterwards.
How we help
ACA can help organizations achieve compliance with the SEC’s proposed cybersecurity requirements with services such as:
- Compliance Program Reviews, Mock Exams, and Gap Analysis
- Compliance Program Development and Enhancement
- Aponix Protect™ to build a comprehensive cybersecurity and technology risk management program tailored to your business needs
- Compliance Training and Education
- Business Impact Analysis and Business Continuity Plans
- Risk Assessments
Reach out to your ACA consultant, or contact us to find out more about the proposed cybersecurity rules, or to find out how we can help your firm comply with the new requirements.