The Securities and Exchange Commission (SEC) is weighing new rules to tighten cybersecurity risk management in the finance sector, which was the most-attacked industry sector in 2021.
If adopted, the rules will constitute the first SEC mandate specifically requiring financial firms to implement comprehensive cybersecurity programs. Commissioners advanced the proposal on February 9. It is now open for public comment until April 11.
“The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks,” said SEC Chair Gary Gensler.
Investment funds and advisers rely on an extensive array of potentially vulnerable information technology systems and control sensitive financial data on behalf of their investors, making them ripe targets, yet 58 percent of financial firms have self-reported “underspending” on cybersecurity. The proposed rules also come against the backdrop of the global pandemic, increasing digitalization of the economy, and rising geopolitical tensions, all of which places firms at greater risk of attack from criminals and other malicious actors.
In addition to requiring that investment firms implement cybersecurity programs, the new rules also would require them to report cybersecurity incidents to the SEC for monitoring and assessment.
The agency already has well-established procedures requiring advisers to disclosure information on their business practices, fees, and potential conflicts of interest. Those forms would be amended to include a section on cybersecurity risks and incidents that have occurred in the last two fiscal years.
The SEC’s proposal identifies asymmetric information as a factor of economic inefficiency, so regulators expect that comprehensive cybersecurity measures will decrease negative externalities for firms, advisers, and clients.
Factoring those benefits, the SEC anticipates that the rules’ economic costs will not be “material in the aggregate, although they may have significant effects on … smaller advisers and smaller fund families as well as their clients and investors.”