The Securities and Exchange Commission (SEC) today proposed changes to Regulation S-P, which aims to enhance the protection of customer information from a cybersecurity governance lens. This regulation is crucial for investment managers and financial advisors as it seeks to safeguard clients’ sensitive information and prevent it from falling into the hands of cybercriminals. 

The proposed changes to Regulation S-P include several new requirements that firms must comply with. These requirements include: 

  1. Written policies and procedures: Investment managers and financial advisors must establish, maintain, and enforce written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. 
  2. Risk assessments: They must conduct periodic risk assessments to identify internal and external cybersecurity threats and assess the effectiveness of their policies and procedures in addressing those threats. 
  3. Incident response plans: They must establish and implement written incident response plans that include procedures for responding to and mitigating cybersecurity incidents. 
  4. Employee training: Investment managers and financial advisors must provide regular training to their employees on the proper handling of customer information and the risks associated with cybersecurity threats. 
  5. Oversight of third-party service providers: They must take appropriate measures to oversee and ensure that their third-party service providers have adequate cybersecurity measures in place to protect customer information. 

These proposed changes are significant as they highlight the SEC’s increased focus on cybersecurity governance, which has become a major concern for investment managers and financial advisors in recent years. Investment managers and financial advisors hold a wealth of sensitive information about their clients, including personal identification information, financial data, and investment strategies. This information is highly valuable to cybercriminals, who can use it to commit identity theft, financial fraud, and other illegal activities. The proposed changes to Regulation S-P aim to protect this information and prevent it from falling into the wrong hands. 

To comply with the new requirements, it’s critical that financial firms take the following actions: 

  • Establish robust cybersecurity policies and procedures 
  • Conduct regular risk assessments 
  • Implement incident response plans to ensure that they are prepared to respond to and mitigate cybersecurity incidents 
  • Provide regular training to employees to raise awareness of cybersecurity threats and ensure that they understand the proper handling of customer information 
See also  What Investment Management Execs Need to Know About NIST's CSF 2.0

As we wait for the SEC to pass its Cybersecurity Risk Management Rules (rules 38a-2 and 206(4)-9) this April, today’s proposal indicates that they plan to keep a public disclosure requirement in the finalized version. Agio has been helping RIAs and funds prepare for SEC cybersecurity examinations since 2014 through our vCISO-led SEC Cybersecurity Governance program, Incident Response Management program, and XDR monitoring and detection services. Contact us, we can help.