Proposed SEC Cybersecurity Regulations for Registered Advisers

By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Proposed SEC Cybersecurity Regulations for Registered Advisers

Registered Advisors May Soon be Impacted by New SEC Cybersecurity Rules

Registered Advisers and Investment Companies rely on a growing number of digital tools and technology vendors both directly and through service providers such as custodians, brokers, dealers, and pricing services. There is significant cybersecurity risk that a targeted breach may lead to financial, operational, and legal ramifications.  A 2021 report from Ponemon Institute and IBM Security noted the average cost of a data breach in the U.S. financial industry is $5.72 million, not to mention irreparable reputational harm that also can occur.

The Securities and Exchange Commission (“SEC”) has proposed new regulations under the Investment Advisers Act of 1940 and the Investment Company Act of 1940 related to cybersecurity for Registered Investment Advisers and Funds.  The proposal also amends certain disclosure requirements on the Form ADV and in registration statements. Highlights of the proposed rules would require the following:

  • Implementation of written cybersecurity policies and procedures designed to address all cybersecurity risks that could harm advisory clients and fund investors
  • Confidential reporting of any significant cybersecurity incidents affecting the adviser, the fund, or clients/investors to the SEC
  • Public disclosure of cybersecurity risks and significant cybersecurity incidents occurring within the last 2 fiscal years in registration statements
  • Recordkeeping by advisers and funds to improve the availability of cybersecurity-related information

One goal of the proposed regulations is to help facilitate the SEC’s inspection and enforcement capabilities related to cybersecurity measures. However, the primary objective is to encourage effective, robust practices industry-wide to better protect clients and investors.

The public comment period will remain open through at least April 11, 2022.

Concerned about cybersecurity for your company? See how Keiter may be able to assist  with our Cybersecurity Consulting Services.

Share this Insight:

About the Author

Christopher Moschella

Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.

More Insights from Christopher Moschella

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.


Contact Us