On May 21, 2024, the Securities and Exchange Commission (SEC) released a statement clarifying the disclosure requirements for cybersecurity incidents under the new rules adopted in July 2023. While these rules target public companies, they provide valuable insights into the SEC’s renewed stance on cybersecurity, which is likely to impact future guidelines for investment management firms, including registered investment advisors (RIAs). 

A statement from Erik Gerding, Director of the Division of Corporation Finance, addresses the distinction between disclosing material cybersecurity incidents under Item 1.05 of Form 8-K and voluntarily disclosing immaterial incidents or those for which a materiality determination has not yet been made under Item 8.01. Importantly, suppose a company initially discloses an immaterial incident under Item 8.01 but subsequently determines it to be material. In that case, the company must file an amended Form 8-K under Item 1.05 within four business days of the materiality determination.  The trend that we are seeing in 8-K filings is that many companies are erring on the side of transparency to report on incidents they believe had no material impact. 

cyber governance sec-ready cyber governance

Addressing the Statement’s Impact on Investment Management Firms  

The statement underscores the importance of having robust processes in place to assess, identify, and manage material cybersecurity risks. The SEC is finalizing its rules for cybersecurity risk management for RIAs and funds and the expectation is it will align with the requirements for public companies. 

Investment management firms must be prepared to: 

  • Disclose the impact of a cybersecurity incident within four days of determining its materiality. 
  • Describe the processes for assessing, identifying, and managing material cybersecurity risks. 
  • Outline management’s role and the board’s oversight in managing risks posed by cybersecurity threats. 

 

You must carefully evaluate the SEC’s guidance on assessing materiality, which extends beyond financial condition and results of operation. Qualitative factors, such as reputational harm, customer or vendor relationships, competitiveness, potential litigation or regulatory investigations, and regulatory actions, must also be considered. 

See also  Are You Using The Same Three Passwords From Five Years Ago?

cyber governance be confidently sec audit ready today

Preparing for Increased Cybersecurity Scrutiny  

As cybersecurity concerns continue to escalate, investment management firms can expect heightened regulatory oversight and investor scrutiny. Proactive measures, such as implementing robust cybersecurity governance programs and undergoing mock audits, can help firms stay ahead of shifting regulations, demonstrate their commitment to safeguarding client information, and mitigate cyber risks. 

Agio’s SEC Cybersecurity Governance Program aligns firms with best practices, SEC risk alerts, and regulations, ensuring a comprehensive and compliant cybersecurity posture. The program includes: 

  • Security risk assessment with an SEC mock audit 
  • Penetration testing 
  • Policy review and development 
  • Social engineering testing 
  • Incident response testing 
  • Security awareness training 
  • Security architecture review 
  • Vendor risk assessments 
  • Audit assistance 
  • Proactive monitoring 
  • Monthly security strategy review calls 

 

Additionally, Agio’s SEC Readiness Assessment provides a thorough evaluation of a firm’s information security program, policies, workflows, security architecture, and user awareness, measured against the NIST Cybersecurity Framework and the 28 areas of interest from the SEC Division of Examinations’ Risk Alert. 

By partnering with cybersecurity experts like Agio, investment management firms can stay ahead of changing regulations, mitigate cyber risks, and demonstrate their commitment to safeguarding client information and maintaining a robust cybersecurity posture. Contact us today.